Turning IT security on its head

Robert Vamosi Senior Editor, Reviews Friday, October 1

For years, corporate IT departments have been told to protect the perimeter of corporate networks with layered defenses, including firewalls. But new technologies such as instant messaging and virtual private networks have poked holes in the perimeter. So, perhaps this thinking is outmoded; maybe we no longer need perimeter security. Speaking at this year's Black Hat Briefings in Las Vegas, Paul Simmonds, Global Information Security Director (CISO) for Jericho Forum/ICI, declared that deperimeterization  is the decade's next security challenge, if not the next security buzzword. I happen to think he's onto something, though the changes might not work as he proposes.

Are we protecting the data? For example, Simmonds talked about the money-hauling industry (think Brinks armored trucks). What are they trying to secure? Money. How do they do it? They purchase armored trucks, true, but they also design security into the containers used for conveying the money: the containers explode if the money is stolen.

In businesses today, we want to secure the data, yet we're locking down entire companies instead. Given that the nature of business has changed in the last few years, this model is outdated. The workforce now includes more temporary employees. We have more services designed to work around the traditional hardened perimeter, such as VoIP, IM, and VPN. And let's not forget that the hard-shell, soft-nugget strategy of corporate IT security has been successfully violated.

Living in a post-MSBlast world In recent years, companies have spent millions on their perimeter security and very little on individual desktop security. Last year's MSBlast successfully exploited this flaw, requiring just one infected laptop to cripple entire companies. Yet, companies had to let that one infected laptop into the network because workers are increasingly mobile, working on the road or from home. Companies also allow port 25 e-mail traffic, so there's still the risk of e-mail infections through that chink. And companies have to allow port 80 Internet traffic as well, laying them open to the threat of infected Web pages.

...complete article at: http://reviews-zdnet.com.com/4520-7297_16-5534252-1.html?tag=nl.e540-2

================================ ...from: http://news.zdnet.com/2100-9595_22-5305167.html

Security's disorderly mess By Jon Oltsik Special to ZDNet August 11, 2004, 5:02 AM PT

[...] Imagine a security perimeter composed of a Cisco PIX firewall, McAfee antivirus software, Websense content filtering, a Blue Coat Systems proxy server and an Internet Security Systems intrusion detection system--along with the accompanying 5 different servers, associated costs and sundry operational challenges.

Since failure on any one of these boxes can halt network traffic, security systems often get purchased and configured in redundant pairs. The whole security ensemble is often accompanied by load-balancing switches from Cisco Systems, Nortel Networks and F5 Networks that divvy up the work across all of the security systems to ensure maximum performance.

See what I mean about complexity? One security professional summed up his frustration this way: "Our perimeter security is difficult to manage, expensive to run and impossible to troubleshoot!"

As if security costs and operations weren't bad enough, today's perimeter mess results in a few other big problems. Ironically, security complexity actually introduces security issues. With so many boxes to manage, the chances of a vulnerable or incorrectly configured system dramatically increase the potential for security holes.

Finally, security complications restrict business flexibility. Firms want to open up their networks to customers, business partners and suppliers to increase revenue opportunities and productivity. I'd hate to be the security guy who has to tell the CEO that the company can't accommodate the new business initiative because of some security configuration issue. Security just can't be about boxes; it has to be regarded as a business service.

[...]