If there is one meme that needs to be squelched it is the concept of the "disappearing perimeter". Thanks to the Jericho Forum, which promulgates this false idea, many CIO's are going to make bad security investment decisions.
This quote from an industry analyst sums up today's confusion:
The paradigm of having a big red circle where everything inside is good and everything outside is bad is over,” says Nick Selby, research director of The 451 Group's enterprise security practice. “Where's the circle? Where's the perimeter?
It seems like no one can talk about security without evoking walls and moats or a big red circle to describe the concept of a network perimeter. Of course networks are more complicated than that. I like to think of the perimeter as the boundaries around a country. Countries have to allow people, goods, services, communications, airplanes, money, air and water across their perimeter. No one talks about countries abandoning their perimeters because they are porous or hard to define. Many countries extend their domain into other countries. Ever get on a plane to the US from Toronto? You cross into the US at the airport. Embassies, consulates, military bases, sometimes even diplomatic personnel are extensions of a country's perimeter; and they are defensible.
If you take fractals 101 (well, usually it is 501 in graduate school) you are introduced to the UK border problem. How do you measure the perimeter of an island? It depends on the scale of the measuring tool. Using a map will give you a different number than a tape measure or a yard stick (the UK likes to think they have gone metric but everyone there still knows what a yard is). At the scale of a grain of sand how do you even determine where the perimeter is? Perimeters of islands, clouds, and broccoli are all fractals. They have the property of the closer you look at them the more complicated they get.
Networks are fractals. On a large scale they are represented by simple assumptions: outside and inside, the Internet versus the corporate network. As you get more granular you see the remote offices, home users, and mobile devices. You even get granular differences based on protocol: Skype yes, Bittorrent, no.
Yes it is complicated. Yes it is difficult to protect. But it is your network, your assets, your business. You have to protect the network so you have to defend your perimeter. You cannot invest the type of money it would take to protect every end point, application, database, and user from every attack. It is a costly mistake to buy into deperimeterization.
Your network is yours. Find it. Define it. Protect it.
About Stiennon
Richard Stiennon is a security industry analyst. He is currently consulting, speaking and writing on all manner of security topics for IT-Harvest, the IT research firm he founded to cover the security space. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Webroot Software.
|
|
Great topic - let's explore it a bit more thoroughly
Richard,
I think we agree more than you assert, and that my comment was taken out of context. I'm not saying that the fact that network architectures have evolved means that there is no perimeter. Instead I aver that since they have evolved so fully people cannot assume a level of safety based on the quaint concept of, "I'm inside the circle and therefore no one can do mean things to me."
The analogy you raise of national borders is nice. Let's take it a bit further and treat a given machine in a manner analogous to the way the Secret Service treats a protectee - create a buffer zone around them, then monitor with great vigilance and intense distrust everyone within the buffer as well. That is, create a perimeter, but assume in all your planning and actions that it is capable only of stopping the least competent, most obvious threats. That isn't the same as the attitude of many in IT security, who treat their "perimeter" as the Swiss Alps - when it's really more like a sign on the road between Belgium and The Netherlands. If you assume that "everything inside is good, and everything outside is bad" you make so many fundamental mistakes that you're doomed to failure.
I do not by any means advocate the abandonment of firewalls. Rather I espouse a re-imagination of identity and access management, of expectations of security based on physical proximity to a given asset or of "location" "within" a "perimeter".
All that sounds exactly like what you're suggesting. I don't believe a network is a circular object, I believe that the simplified schematic representation of a firewalled network has permeated the thinking of network architects to treat a network as if it's a circle. Call it a circle or a fractal or a parallelogram, but my point is that architects have to stop thinking that their kit is safe just because it is "in" a certain "place". And I think it's much more accurate to refer to this re-imagination not as "deperimeterization" but rather, "reperimeterization".
Totally in accord Nick
Thanks for the clarification Nick. Yes, we agree completely. It seems like there is a war between network and end point people that should not even exist. Security has to permeate everything from the network to the data to the users.
-Stiennon
Post new comment