The World Is Your Perimeter
The castle-and-moat era of information security is over: Now it's described as woven cloth, submarines, onions and Snickers bars. How will CISOs translate nutty metaphors into secure worldwide systems?
By Christopher Lindquist
February 01, 2004 — CSO — CISOs have spent the past few years perfecting digging moats around the corporate castle. Now, as they lift their heads out of the trenches, they find themselves living in the age of bomber planes and guided missiles.
The problems with perimeter-based security are neither new nor unclear. Corporate information systems increasingly rely on tools and processes that exist outside the protective embrace of the traditional firewall. Wireless, mobile, remote and ad hoc are the watchwords of today's business, with employees, partners and customers often using two or three different devices—ranging from laptops to cell phones to kiosks at the local Internet cafe—to connect to corporate data. And the demand for additional network-reachable resources can force companies to punch more holes in their once reasonably secure perimeters.
There's no indication that this trend is going to reverse itself. But what defensive model comes next for information security if the perimeter goes away? That question has been the subject of lots of creative speculation. Attend any conference keynote and you'll likely hear the castle-and-moat metaphor replaced by a litany of other images: cloth weaving, germs and cells, submarine warfare, peanut butter sandwiches, onions, oil and water, and even Snickers bars.
Those metaphors are useful, though they serve only as a starting point for discussion in what has become a very complex information security world. If CISOs are to keep up with the rising tide of threats—from zero-day code exploits to fraudulent insider hijinks—the conversation has to turn to specific, concrete ways to build abstract concepts such as flexibility, agility, responsiveness, redundancy and diversity in the infosec defense model. Think Before (Re)ActingThe fundamental first step in reworking information security is to clear your to-do list and make room for architectural and strategic rethinking. Experts say the rate of technological and regulatory change makes that rethinking tougher than it sounds, but today's disappearing perimeter makes a little think time crucial.
"So many of our security practices assume we have one static and controllable security architecture," says Richard Baskerville, chairman of the CIS Department at Georgia State University. "[But] your boundary is now logical; it's no longer a physical perimeter," he adds. "And that sucker can snake out all over the place"—particularly in a world where Web services will begin connecting networks autonomously, "CSOs will soon need agile practices to manage many interconnected and changing security architectures simultaneously," says Baskerville. "It's more like managing security threads woven together into a fabric. Each thread must be strong, and the fabric weave must also. The security manager is constantly reweaving new threads. [For instance,] a policy review might occur on the fly as part of a security response to a network reconfiguration. Similarly, a security architecture review may be rapidly required to certify a new [virtual private network] connection to a trading partner."