OT: Enterprise needs security from the edge to the center
By Richard Moulds
It's clear from recent events that organizations that rely primarily on a secure perimeter to protect sensitive data are fooling themselves. This year, it seems hardly a week has passed without headlines about a high-profile security breach involving sensitive data.
However criminals obtain the sensitive data, whether through a traditional perimeter breach, the use of insider credentials or the outright theft of physical storage media, the lesson is the same. Organizations can no longer regard everything inside the traditional perimeter (people, machines, networks) as "trusted," requiring only a "soft" approach security that consists primarily of procedural controls and weakly enforced permissions.
It's an "M&M" approach to IT security: Once criminals penetrate the hard shell that protects the network from the wholly untrustworthy public Internet, they can easily devour the data within the soft center. Indeed, they often don't need to penetrate the perimeter at all, but can instead simply go around it by stealing unencrypted back-up tapes, for instance, out of the back of a cargo van.
Not only are attackers constantly blowing open security cracks in perimeter security, but enterprises themselves are also willingly, and often unwittingly, contributing to the perimeter's disintegration.
For example, virtual private networks frequently tunnel through the perimeter, which often provides all or nothing access to network resources. Web services, which are starting to finally fulfill the early hype, have as their goal interconnecting business processes and often reach into the core of an enterprise network. Factor in the mass of mobile devices, wireless networks, portable media storage and offsite data archival, and it's not outlandish to suggest that there really isn't a perimeter at all.
Instead, enterprises need a "jawbreaker" model in which the network is "hard" all the way through to the center.
Drivers for the jawbreaker
Unfortunately, the traditional perimeterized model doesn't just fail to provide adequate security. It is also far too expensive and inefficient to deploy, given today's far-flung workforce. Enterprises have to manage an exploding number of network connections for employees working at home, traveling employees and remote offices, not to mention the connections they've built to the networks of partners, outsourcers and customers.
Enterprises must have a unified management approach to the identities of users, their rights and roles, and ultimately the enforcement of those rights. The search for a unified approach has led many security experts to believe that, in the near future, security will be deperimeterized.
In a deperimeterized world, every user is "remote," whether they're on the corporate campus or in a coffeehouse halfway around the world. Instead of building a perimeter around a network, in a deperimeterized architecture there's a virtual perimeter around every user or internal system that establishes "islands" of trust that securely exchange information.
The Jericho Forum (opengroup.org/jericho), a security organization recently founded by corporate CIOs, is taking a stab at defining the requirements for both the short-term and long-term transition to a deperimeterized world, a unified world with an inherently less expensive, more consistent approach to identification, authentication and authorization. By and large, their vision doesn't require the development of brand-new, whiz-bang technologies, but rather strings together existing technologies into a unified whole.
The Jericho Forum's vision is no pipe dream. It's already underway. Computer manufacturers like Dell, Hewlett-Packard, IBM and Fujitsu have all incorporated trusted platform module (TPM) technology as standard features in their enterprise-class laptops, which enables users to securely lock away in hardware the secret digital keys that are the lynchpin of encrypted communications. These keys allow users to securely encrypt and decrypt information with their laptop, and gives administrators the ability to verify not only that a user is safe, but also that the user's machine is safe.
For its part, Dell has gone a step further, also incorporating smart-card technology into its laptops, which enables network administrators to assign a digital identity to each user instead of relying on notoriously insecure usernames and passwords.
Pervasive encryption
So, a world in which every user is a secure "island" raises important questions.
How will one know who is actually "on" each island?
The foundation of a deperimeterized security architecture is knowing whether users and their machines are who and what they should be. Enterprises will have to use strong methods of authentication such as smart cards, USB tokens and ultimately biometrics to validate users and embedded digital identities to recognize devices such as laptops, phones and maybe even peripherals.
How will these islands communicate securely with one another?
At the end of the day, the only sure way to enforce confidentiality is though the use of encryption. No enterprise in its right mind would ever send sensitive data across the Internet without encrypting it first. That mindset is now starting to be applied to all networks. There are well established means for securing data as it travels "outside" the traditional perimeter, means that can be re-applied in a deperimeterized world. SSL, virtual private networks and web services will all be used to link up the islands protecting data "inside" as it moves between cubicles or campuses.
What's the plan?
How will enterprises protect sensitive data and the processes that use them once they've arrived on the islands?
It's already the reality that pockets of stored data are everywhere and that much of this data is sensitive in nature. In a deperimeterized world, the situation is probably going to get worse. There is a "data at rest" problem that goes well beyond back-up tapes.
There will be a need for the islands to be responsible for protecting the data on the island - whether the data is stored within a database, file system, tape drive or on a laptop hard-drive. In some cases, tightly integrated access controls may suffice but, once again, encryption will often be used to provide a last line of defense. If all else fails, a thief's efforts will be in vain --w they may have access to data, but because it is encrypted, they won't see anything except gobbledygook.
Clearly, encryption plays a pivotal role in a deperimeterized security environment.
"If data is to be portable outside existing protected containers and security domains," the Jericho Forum's February Vision document said, "organizations must deploy encryption capabilities. Data security then becomes dependent on the security of keys and the devices or mechanisms that manipulate them."
But as encryption penetrates deeper into enterprise operations, enterprises will need to deploy new systems to manage in a cost effective way the exploding number of private keys upon which pervasive cryptographic security would depend. Central to these systems will be the need to recover lost data and provide effective mechanism to create a separation of duties.
It's a big challenge, but once deperimeterization becomes a reality, the payoff will be enormous. Not only will the confidence-sapping headlines about security breaches disappear, but enterprises will be able to efficiently and securely expand their networks to include remote employees, new branches, partners, customers and outsourcers.
It's only a matter of time before the walls fall down. The question is whether there will be systems and policies available that can raise the security bar sufficiently to cope. Life in a deperimeterized world might well be a very liberating experience and should certainly be less costly in the long run.
The security industry still has plenty of work to do. What seems clear is that the use of cryptography will become more widespread, often under the covers, but nonetheless a fundamental component behind strong authentication and enterprise wide data protection.
As nCipher's vice president of marketing, Richard Moulds leads the company's worldwide marketing team. Moulds joined nCipher in early 2000 with more than 14 years of technology marketing and business development experience. Moulds holds a bachelor's degree in electrical engineering from Birmingham University and an MBA from Warwick University in the United Kingdom. He can be contacted at www.nCipher.com.
Market Data 
Markets 
AI
