In Depth
The World Is Your Perimeter
The castle-and-moat era of information security is over: Now it's described as woven cloth, submarines, onions and Snickers bars. How will CISOs translate nutty metaphors into secure worldwide systems?
By Christopher Lindquist
It's an intriguing idea, but one that Rider confesses needs more investigation. Patching, for instance, becomes a much more complicated issue if every executable on the planet is slightly different. Reality Check, PleaseAll these technologies and ideas sound intriguing in theory, of course, but James Christiansen, CISO at credit and financial service provider Experian, says it is critical that researchers and vendors not miss the point. Such esoteric solutions may solve only 1 percent of the problem, when the real issues aren't disguising application signatures but instead are when a contractor downloads data to a laptop, only to have the whole thing stolen (as happened to Wells Fargo).
"Let's walk before we run. Let's look at the big things first," says Christiansen, who has done a fair bit of thinking and writing on the subject of what he calls resilient security. At his previous post as CISO at General Motors, Christiansen managed information security needs across GM's diverse units, which include manufacturing and financial businesses spread across the globe.
To Christiansen, the perimeter model is incomplete but not useless. "If I could put a lock on individual bits, that would be be ideal, but that's unreasonable," he says. Christiansen believes the right infosecurity model should look more like a Snickers bar, with a thin outer layer surrounding both insecure goo and hardened nuts. "We've gone from a single perimeter to multiple internal perimeters," he says. "Moving security closer to the information you're trying to protect is how you win the game."
Other experts concur that perimeter security—in some form—may always have a place in the CISO's mind. "Physical barriers to communication continue to dissolve, but managers are responsible for protecting information that they either own or for which they have custodial responsibility," notes Bentley College's Ray. "While an increasing amount of information is shared outside corporate perimeters, the most valuable information is still maintained internally for most companies—budgets, software and product designs, information about competitive business processes, and so on. Perimeter defense plays an important role in protecting this information."
Yet while the term may never go away completely, there's no denying that the idea of the perimeter must change—and soon—if organizations are to have any hope of staying ahead of the threats. "The perimeter is the world," says IBM's Palmer. "That's what's driving CSOs insane."
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
