The Deperimeter Problem

Yes, the castle-and-moat model has lots of shortcomings, but the concept of "deperimeterization" is a long, long way off

One user organization, the Jericho Forum, is taking this idea a step further, with a process that the forum calls "deperimeterization." The basic idea of deperimeterization is that organizations should face the fact that the perimeter is dead and develop a fundamentally new security model based on mutual authentication and strong cryptography. The Jericho Forum (whose members include big companies such as Barclays, Boeing, HSBC and Rolls-Royce) argues that the way to achieve this future is through careful design of a new security infrastructure that guarantees interoperability and openness. Jericho is calling for companies to bring down their outside walls and rely on defenses built into hosts, applications and the data itself.

Deperimeterization certainly seems sensible in a company such as Boeing; a perimeter-oriented defense makes little sense when you have more than 150,000 employees inside the firewall. Sure, you can have a firewall within the firewall to protect the really good stuffto segregate the accounting department from the machinists, for examplebut where does one stop? Jericho's argument is that it makes sense to build firewalls as small as possiblefor example, one firewall for each computer.

This vision of a network is, in fact, the environment that I enjoyed at MIT, an enterprise that has tens of thousands of computers interoperating securely without a general perimeter defense. At MIT the network is assumed to be inherently hostile. The result is that the systems there are

battle-hardened against all attackers, internal and external. (Instead of making users reauthenticate every time they log in to a different service, the MIT network uses Kerberos as a single sign-on system; workstation users have to reauthenticate only once every 10 hours.)

But aside from its catchy name and its big goals, does deperimeterization make sense from either a security or financial or even a historical point of view?

Yes, for all their benefits, good perimeter defenses are psychologically dangerous. They lull organizations into a false sense of security. But according to the 2005 "CSI/FBI Computer Crime and Security Survey," attacks by insiders accounted for less than 7 percent of the respondents' dollar losses to computer crime. What's more, the survey's authors write, "the data do suggest that respondents detect events perpetrated by insiders about as often as by outsiders, casting some doubt on the claims one often reads that the vast majority of crimes are committed by insiders."

In other words, even though strong perimeter defenses might cause organizations to lower their vigilance inside their walls, on the whole a perimeter seems to do significantly more good than bad. What today's organizations really need is a way to evaluate the effectiveness of their perimeter defenses so they can make rational decisions about where elsein addition to their perimeterthey ought to be spending their security dollars. The big holes in today's perimeters come from business decisions: When two companies form a partnership, one of the first things they do is open holes in their respective firewalls so that their corporate systems can interact more closely. These holes can outlast not only the original partnership but frequently the companies as well! After a corporate acquisition or two, hardly anybody knows which holes in the firewall are the ghosts of long-dead relationships and which are still essential because of ongoing business ventures. The same is often true of active VPN circuits and even dedicated leased lines. People just keep paying the bills, for fear that tearing down a connection might break something important. One company that's managed to profit from this confusion is network mapper Lumeta, which has developed a powerful system that experimentally determines the connectivity between and within enterprise networks. Lumeta's maps frequently turn up hidden pathways between supposedly well-guarded enterprise networks and the rest of the Internet.