Security

There is no perimeter, kinda

At Interop Las Vegas, IBM/ISS security strategist Joshua Corman explained seven "dirty secrets" of the security industry. One of his points was the newly common refrain, "There is no perimeter." What exactly does that mean?

At Interop Las Vegas, IBM/ISS security strategist Joshua Corman explained seven "dirty secrets" of the security industry. One of his points was the newly common refrain that "there is no perimeter." What exactly does that mean?

It's a buzzword

Technically, I guess it's a buzzphrase. The point is that the phrase, "there is no perimeter" has gained some traction lately. It's a very popular thing to say in certain circles. It makes you sound cutting-edge and knowledgeable. That's the great thing about these postmodern-sounding declarations that everybody accepts as a simple fact of reality even though they don't even exist -- they always make you sound cutting-edge and knowledgeable.

Unfortunately, it's wrong. There is still a perimeter. For the foreseeable future, there will always be a perimeter. The argument that fifty percent of security breaches "don't go through the firewall" is a bit of handwaving and misdirection, really. What about the other fifty percent? How accurate are these statistics, anyway?

A more reasonable interpretation of such statistics -- assuming for the moment they're even credible -- is that the advancement in the state of the art of perimeter security has ensured it is no longer the low-hanging fruit for malicious security crackers. Perimeter breaches for targeted data theft are no longer as easy as they once were. Everyone uses firewalls now, and almost everyone uses network address translation, proxies, and other common perimeter security measures. If you want access to critical data from a specific network, sometimes it's just easier to go around the network perimeter than to get through it.

That's not because there's no value to perimeter security. It's just because perimeter security has made it more difficult to breach the perimeter than to find a way to avoid it when you need to target something specific.

Don't neglect your perimeter security. You need it, not only to make things more difficult for the malicious security cracker who has decided to target you for what you have, but also to protect you from automated, opportunistic attacks, mobile replicating malware, and similar threats that don't much care who they're targeting, as long as the targets can be breached.

It's a wake-up call

The truth of the matter is that a secure perimeter isn't the be-all and end-all of security. It's important, but it's not all that's important. Some of the people throwing about buzzwordy pronouncements like "there is no perimeter" just want to use buzzwordy pronouncements that make them sound cutting-edge and knowledgeable. Others, however, are trying to make an important point:

When you're working on security, you can't stop with the network perimeter.

There are at least a couple things you need to think about protecting when you start implementing security measures. One is your information technology resources; you don't want someone gaining unauthorized access to those resources and misusing them to send spam, host FTP archives of illicit data, or attack other networks. Another, however is information. Information doesn't color inside the lines. It crosses the perimeter all the time, and a breach in information security outside the perimeter can be just as devastating as inside the perimeter.

Remember that to a significant degree security has to follow your data, and your data doesn't stay at home. Every time you send an e-mail, visit a Web page, or let someone from outside access a resource on your network (such as by visiting your Web server), you may be sharing information outside your perimeter that needs to be secured.

Furthermore, physical security is something that must be considered in addition to your network perimeter. What data leaves your immediate area of control on USB flash drives, laptops, optical media such as a CD-R, and by other physical means? What can you do to ensure this doesn't become a security disaster?

These are the sorts of considerations you need to keep in mind when people say there is no perimeter.

It's badly phrased

The problem, of course, is that there *is* a perimeter, and it's still important. Claiming there is no perimeter at all is a great way to confuse people and cause them to make incredibly bad decisions about security in the future. A more accurate statement would be that the perimeter is not as clearly defined as it once was. There are other ways to say it: The perimeter follows the data. There's more than one perimeter now. The perimeter, like the network, is distributed.

These different ways to phrase things may not give the listener as clear an impression of what's going on than simply saying "there is no perimeter," but that's a feature, not a bug -- because what's really happening isn't actually clear at all. Giving people a clear impression about the complexities facing information technology security is giving them a false impression. Alternatives like "the perimeter follows the data" don't really explain much, but it gives you a starting point, a perspective from which to think about what's really going on.

It's not a solution. There is no solution, yet, and there may never be. The reason "there is no perimeter" is so badly phrased is because it assumes a simple solution of some sort. To misquote an old platitude, security isn't a destination: it's a journey.

It's not the answer

The reason the phrase "there is no perimeter" is so popular, I think, is that people like to be told pithy things that make it sound like there's an easy answer. The underlying assumption is that the guy saying "there is no perimeter" knows the answer, and maybe you should hire him to make sure he can give you that answer. The moment you think there's a single, final answer, though, you've already lost the battle for security.

If there's an answer at all, it's this:

Security is a state of mind, not a solution.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

11 comments
Jaqui
Jaqui

after all with vpn and all the other ways people are getting into the company network from out of the office or country, the concept of a perimeter is misleading. It leads you to think that you can have walls to protect, when in reality you need active patrols to protect.

JosB
JosB

The Jericho Forum has been working for a long time now on how to solve the ongoing "de-perimeterization" that has been going on for a long time now. So something has happened and business should at least pay attention to it. But using the phrase out of context is stupid, perimeters exist and should be taken care of.

flez
flez

My expeirence in Defence Security shows the Vital Need for an Integrated Approach where sensitive information is concerned, both within and outside the "safety" of the Organisation. I recommend IT Security should be an integrated mixture of Electronic, Physical and Personnel Security with supporting administrative & electronic systems. eg imagine a Fire Base in the boonies, deep in enemy territory and sending out and receiving incoming movements of personnel, logistic supplies and Intel There is One Perimeter but it is somewhat convoluted, and represents just one facet of the whole Security Matrix. Viz:- 1. THE WIRE PERIMETER Look at it as an an "on the ground" wire perimeter, sown with various "mines" or detection apparatus, such as ... 1)Firewalls, Anti-Virus programs etc, all set to detect/block/destroy unauthorised entry. 2)Detection also requires effective RESPONSE. 3) VOIP telephony routed via Central IT System 4) All Sensitive Docs in/out via Electronic Transfer 2. THE PHYSICAL PERIMETER There are several issues that arise here... 1) Personnel - First Line Security Clearance - background checks, previous record of breaches, security awareness, attitude to security, 2) Security training & ongoing reinforcement 3) Supervision of Personnel "on job" 4) Sharing Sensitive Information on "Need to Know Basis" ONLY - develop Information Cells 5) Security should be integrated throughout whole Org. IT Security and Physical Security work as one unit 3. OVERHEAD SECURITY 1) All levels of management, right up to Board Level must be Security Audited. Most leaks come from mid to upper levels of Management 2) Independent Security Audits mandatory 3. BEYOND the PERIMETER 1)There are bona-fide secure entry/exit points for legitimate INTELLECTUAL property. 2)These assets must carry their own protection. They are protected within the boundaries of the "in-house" or "base" security perimeter, but must be able to defend themselves once beyond that "border." 3) They should be traceable at all times outside the perimeter 4. WHEN A BREACH OCCURS Systems must be in place on how to deal with the following... 1) Electronic responses 2) Physical responses 3) Administrative responses 4) Legal & Statuatory responses Hey, I am sure you guys can think of far more to add - just a quick overview for your perusal. Flez

rrichardson
rrichardson

Seems to me that the notion that the perimeter won't cut it anymore has been around for at least three or four years now and is generally accepted by most security practitioners. What's still an open question is what improves our security in a "post-perimeter" world. My take is that it's a combination of architectural approaches... my shorthand version of this is in a recent blog post. Robert Richardson Director, CSI

youzer
youzer

If people are using this "buzz-phrase" out of context, then you're bound have misunderstandings.

Michael Kassner
Michael Kassner

I follow two important axioms in my professional life: 1. Follow the money 2. Follow the data Great post Chad.

Tony Hopkinson
Tony Hopkinson

past me capturing my attention. I said "bollocks", but I understood what they were trying to say. I put it down to Gartner speak to be quite honest. I wish security was a state in many more minds.....

apotheon
apotheon

Does the concept of a security perimeter need to be redefined, or just replaced?

edmofilho
edmofilho

It's an interesting discussion and I completely agree that on the majority of the situations security (unfortunately) follow the money before following the data. Security should not be seen as technology matter and, otherwise to be effective it should be integrally part of the corporate governance or better the corporations should work on a Security Governance. Following this strategy the perimeter would be the whole corporation and its business.

seanferd
seanferd

Microsoft is winning the NAC war, expert Joel Snyder of Opus One says - Network World And I wonder what you fellows think of this. It isn't as Microsoft-y as it sounds from the title.

santeewelding
santeewelding

To hear you say it, security being a state of mind, its perimeter needing to be redefined, sounds like self-actualization, or something. Could also be I'm in the wrong thread.