Security

Is perimeter security dead and is protecting the data all that matters?

The traditional security model in IT has been to build a big wall around the corporate network to keep intruders out and to let the people on the inside have privileged access. That model is breaking down because networks are losing their borders, as TechRepublic's Jason Hiner explains.

The primary method of corporate computer security over the past three decades has been focused around the network. It's been about allowing those inside the network to have privileged access to corporate resources and building impenetrable walls to keep outsiders out. Unfortunately, this model is rapidly losing its effectiveness because the borders of networks are becoming much more fluid and dynamic with the advent of VPN, Webmail, push e-mail on smartphones, telecommuters, and a geographically dispersed and mobile workforce.

So far in 2007, I've had two highly respected IT security experts try to disabuse me of the notion that network security is even relevant any more. The first was Kris Lamb, Director of X-Force Internet Security Systems for IBM, who brought this up at Interop Las Vegas in May. The other was John Pironti, Chief Information Risk Strategist for Getronics, who told me the same thing when I spoke with him at the Enterprise 2.0 Conference in Boston in June.

"The network boundaries are dissolving." -- Kris Lamb

Lamb said, "The network boundaries are dissolving. There isn't a clear distinction between safe and untrusted zones." He also added that "It's the illusion of these categories, trusted/untrusted, safe/unsafe" that is leading a lot of companies to a false sense that their IT assets are secure.

Similarly, Pironti said, "The perimeter dissolved a long time ago... There was a false sense of protection. When you take a data-focused approach instead of a technology-focused approach, you realize that as soon as we connected data and interconnected computers via the Internet, the perimeter failed... The day I brought my data outside the mainframe, four walls, and the LAN was the day I lost my perimeter."

These two security gurus are not in contact, so far as I know. I spoke to one in the Southwestern United States one month and the other in the Northeast the next month. They both gave me roughly the same message: Perimeter security simply doesn't cut it anymore.

John Pironti giving a presentation on security at the Enterprise 2.0 Conference in Boston in June 2007

Sanity check

So if traditional perimeter security will no longer work, where does that leave us? Lamb and Pironti both pointed in the same direction --> data security.

Pironti said, "Let's define the new perimeter by thinking about how our data can be impacted, not how our technology can be impacted. That is the biggest challenge. Security professionals still run to the box. It's still too easy to [just] buy the box... The perimeter is wherever the data is. The perimeter follows the data."

"The perimeter is wherever the data is." -- John Pironti

Lamb said, "Data security is a solution that people need to be thinking about... Data is becoming the delivery mechanism of a lot of the real nasty threats that are out there. You're seeing trusted file formats [DOC, PPT, PDF] used as ways to embed malware and exploits."

So what's the difference between perimeter security and data security? Pironti contrasted it as the difference between building a big castle with a mote around it versus building really strong body armor for the knights you send out onto the open battlefield.

But the approach to data security is also about much more than just using different tools to protect smaller targets. There's also a philosophical and cultural shift as well. "The most important thing that we think people should do is to do a threat vulnerability analysis," Pironti said. "Let's look at your data and your business processes, and not [just] your technology. Let's look at your information infrastructure, which is all of the people, processes, and technology associated with information and data. Now, start looking at that and saying, 'What are the possibilities in how that data could be compromised? What is the likelihood of that happening and what is the [potential] business impact?' So you describe all the scenarios and lay out all the possibilities... Once I understand what can happen to me ... then I can start talking about what is my vulnerability management plan... What I am going to put in place that will still enable the business to function but protect it from these potential high-threat, high-likelihood situations? That is a process-oriented, business-oriented approach to information security that hasn't existed in many organizations. It still doesn't today because it's too easy to [just buy] the box."

There was one other area where I got a similar message from both Lamb and Pironti. They both believe that the stakes are higher than ever because many hackers have changed from hobbyists to professionals and because hacking has gotten easier because of the amount of information that is readily available about people, organizations, and systems via the Internet.

"The hacker community is migrating from a notoriety-driven to an organized, profit-driven underground," said Lamb. "They are really playing on Web 2.0 and the democratization of content and using that as a way to bring their attack to the user."

Pironti remarked, "The attack community has changed from a very public and well known way of telling people what they did by putting out a [message] letting everyone see how special they are, to a very professional and targeted scenario."

Many hackers have gone professional by teaming up with organized crime and are now breaking into systems and stealing data for the purposes of blackmail, extortion, and money laundering.

"Google is the ultimate hacking tool." -- John Pironti

The bad news is that it is easier than ever to do because of the Web. Pironti explained, "Google is the ultimate hacking tool. By far, it is the most effective hacking tool that exists today. Google tells you everything that you want to know about an organization. It tells you everything you want to know about how to attack and compromise different systems... The level of information that exists today has really changed the dynamic."

The fact that I got such similar information from two different security experts who focus on different aspects of the industry -- and the fact that so much of it rings true -- prompted me to bring this to the attention of IT pros. I know plenty of organizations that do a nice job of perimeter security but don't even bother to strictly enforce the use of permissions on file shares, or to fight USB flash drives that can carry unencrypted, unsecured company data. The TJX security breach is an example of what can happen when the IT department gets careless.

I'd recommend that all IT departments consider the kind of threat vulnerability analysis Pironti explained. And, at the very least, start thinking more seriously and holistically about file permissions and data encryption. That way, even intruders who get past perimeter security will have a difficult time doing much damage or stealing any valuable digital assets.

I should also note that I am not recommending that IT departments take down their firewalls -- and Lamb and Pironti weren't saying that either -- but that the firewalls and other perimeter security devices should not be the focus of IT security, leaving data security as an afterthought. Rather, the fluid nature of the perimeter means that data security should be the heart of the security strategy, and firewalls and other security devices should be components that help serve that data-centric security strategy.

Perimeter security may not be dead, but the era of perimeter-centric security looks like it could be coming to an end.

How much of an emphasis does your IT department put on data security versus perimeter security? What do you do to secure your data? Join the discussion.

About

Jason Hiner is Editor in Chief of TechRepublic and Long Form Editor of ZDNet. He writes about the people, products, and ideas changing how we live and work in the 21st century. He's co-author of the upcoming book, Follow the Geeks (bit.ly/ftgeeks).

121 comments
n_egii
n_egii

I am little bit bothered with way most people are describing perimeter security? Do you thinks it is just a security algorithms and programs, firewalls and IDS? I dont thinks so. Todays security systems are sophisticated enough to provide reasonable level of security. The problem is not with technology but with social aspects of the security. So far this one is avoided at all cost, but now it is time to face it. What is the point of spending high amount of money on state-of-the-art security system if it cannot protect from simple question "what is your password?". It is like two door house where front door is locked with all means of lockers and backdoor is wide open. It is time to stop limit ourselves to technical stuff and start thinking about social aspects of security. After all it is always the human who is the weakest point in perimeter security.

rw
rw

A Long thread on this one. seems to me there are quite a few ideas about a utopia of access but reality bites the bubble. Perimeterless networks and strong authentication are great. Kick all the uses off the server/service LAN and put them on a GBit segment. As being done by UK petrochemical BP. But how do you know who is accessing what. Will your "outside facing" bandwidth get chewed by happy hackers? This discussion has been chewed over by the Jericho Forum for years and they have not solved all the issues 'yet'. Still open if they will. We need to be able to either allow the data out or securly allow a user application only access in. What happens in linked data systems like a DMS, PMS or KMS? To work on a item may require downloads of shed loads of information. Is your bandwidth always perfect? RDP / Citrix better? VPNs are cool but drag in the needs for a bunch of other technologies to make it all secure. plus the machine is part of the internal network so a inside snooper or trojan has network access once all the hurdles of security has been jumped. Using a chemist analogy put the information securly in a network box and only allow access through gloves though the screen. No Data Out ... No Risk. Therefore theft/loss of Laptops become just a financial irritation. No Data is local. No encryption is totally safe AES was broken to 106 bits last time I looked. So if data is encrypted with say 256 AES what happens when that is broken. A mad rush to up lock out everyone, decrypt and encrypt. Hmmm that would not be a good day! perimeterless networks is a nice place but at what cost to block all the holes?

kkernspa
kkernspa

As network administrators, I think it behooves us to do our level best to secure the perimeter (as fluid as that may be) as well as the data. While perimeter security is more difficult due to remote connectivity (which is increasingly becoming more securable in its own right), we should continue to make a concerted effort to secure the perimeter. To fail to do so would invite trouble. Why only have one lock when you can have two and slow the hacker down significantly?

Ian Lewis
Ian Lewis

for some things at least. You have to have some form of perimeter security. Even on your standalone machine, after all what does ZoneAlarm do? It filters network packets before they get processed by your browser for example. That is a perimeter. Email in the enterprise should have a perimeter security device filtering out as much spam and virus laden email as possible. This provides a chance for workers to be productive without constant or excessive interruptions and protects desktops from a flood of viruses. Web browsing can be protected, to some extent, by a proxy server. Again a perimeter device. It is possible to scan content and filter out ads and undesirable web pages. There are products that will limit the use of IM software. That said, perimeter security is now only a part of the security arsenal. A few years ago it was enough but not any more. Desktop security, dynamically updated, is a requirement as the diversity of threats goes well beyond the perimeter. It is all too easy to reach a web page that slips through the perimeter filter and download an activeX control, trojan, applet or some other malign software. Networks notwithstanding there is the simple fact that many machines will happily say 'Hello!' to almost any USB storage device plugged in to them. Great, there goes the company customer list, accounts or whatever else is available. A good case for limiting access by default. When talking about 'blended threats' as some call them you need a 'blended response'. Ian

martin_ozolin
martin_ozolin

The best IT department will not protect data that employees have access to. All employees talk. In this scenario, classified information is what object oriented programming is all about. This means that top security clearance means knowing how to manipulate source code, independently of the IT department. Computer programming literacy is becoming as basic as driving a car. The purpose of driving is another question.

dchow
dchow

It's true that many attacks are moving more internally or by other methods. But it doesn't mean that perimeter security is dead. Developing nations now just becoming familiar and used to the Internet infrastructure. Perimeter security should be seen as a basic fundamental that everyone should know and use the security encapsulation of objects as our next gen focus. What happens if we ignore perimeter security? Basic things like DHCP, DNS, and SNMP may start a rise. However enforcement such as encryption and other data process security will be on the rise and definitely won't be ending. This may give us new IT careers in the future. Such as Information Assurance; a government standard, and enterprise luxury, but may become an SMB essential in the future.

CharlesDR
CharlesDR

Just for information. On http://www.securityforum.org/html/frameset.htm you can find similar idea. The name of the idea is more accurate. Not that perimeter is dead, but just boundaries are foggier. May be it can resolve the war. And they either do not think that we should give up the perimeter. Information Security Forum has their own Standard of Good Practice, where perimeter defense takes great deal of the security.

n_egii
n_egii

I completely agree with this article. We must stop thinking within limited border of technology and must start to consider social aspects of the security. Google is a great hacking tool, more precisely it is a great tool for Social Engineering. Hacking is no more just about technical aspect, hacking is going to be Social Engineering at first place, and no firewall can protect against Social Engineering. Whole network security is useless against Social Engineering. So stop thinking just about technological aspect but think how to prevent protect against Social Engineering.

gracedman
gracedman

We, too, realized that the perimeter was dissolving long ago. Even before Web2.0, the world of VPNs and e-commerce was standing the world of firewalls on its head. Walls have never been a good defense be it China or France. That's why we launched the ISCS open source network security management project (http://iscs.sourceforge.net). It allows us to redefine the way we look at answering the question of who has access to what and makes answering that question in a highly granular way manageable and affordable. Instead of a hard and crunchy outside with a soft and chewy inside, we turn the whole network into a solid rock. The only access is via explicit permission. They key was to crack managing that kind of complex security. We can currently do this in production at the micro-perimeter level. We are working on integrating ISCS technology with 802.1x. That will take us the last step to the nirvana of truly perimeterless security. We also will need partnerships with hardware vendors to implement that solution. If anyone know of anyone interested in exploring ISCS/switch integration, please steer them our way via the contacts on the web site.

michael_orton
michael_orton

When the day of the lone Pc in a locked office ended, perimeter security died. You have to encrypt all data you want to keep to yourself, run say PGP/Powerpgp32 from a USB device and hope that there isn't a keyboard sniffer around!

Absolutely
Absolutely

Cell phones are comparable in size to floppy disks & CDs/DVD. USB keys are considerably smaller, with comparable capacity. What's the news, here?

ckensek
ckensek

No. Perimeter security, endpoint security, and data security are all essential. The first two are more interrelated than the 3rd. The group tasked with protecting the network should be working closely with those "owning" the data and its protection.

TBBrick
TBBrick

a multi-layered defense system. Whattayaknow! Sound ideas do stick around after all.

cla
cla

Perimeter security is dying - and there's only one solution that handles this fact. Giritech, a Danish startup, has a product that enables what they call "network consolidation" ... Basically the idea is you throw away your LAN and always connect to apps via the Internet and their G/On solution. Check it out at www.giritech.com.

gezelter
gezelter

Perimeter security is not dead, it is not, and has never been the whole story. Since 1995, my chapters in the "Computer Security Handbook", that perimeter security is not the answer. At a minimum, almost no organization can satisfy its needs with a single security perimeter, the actuality is a series of sibling and nested security domains hanging from a common network infrastructure. Since 2003, I have been including this concept in a series of presentations that have been hosted by the IEEE Computer Society, "Safe Computing in the Age of Ubiquitous Connectivity". As a finale to that multi-year series of lectures, I presented a paper at LISAT 2007 on this issues (see http://www.rlgsc.com/ieee/longisland/2007/ubiquitous.html for both the paper and the presentation slides). Protection of incoming data and distrust of outside data is a logical new dimension to the same calculus. Far too many installations have been too trusting for far too long that a secure perimeter solves the problem. - Bob Gezelter, http://www.rlgsc.com

rw
rw

Absolutely. We need to be able to have a system where it takes a contious convoluted effort to give a strange access. I have a system with 2 factor authentication where I could give you my key and user name and password and even my PC you still would get nothing but an about menu, a logfile to say you were connected and an exit. Client cannot change any settings either.

RU_Trustified
RU_Trustified

We are doing what the Open Group has as its goals, with what amounts to a scalable multilevel security and a granular access and audit control system at the data file level, on a per user basis. As I mentioned above, we have not thrown out the filewall.

Tony Hopkinson
Tony Hopkinson

a little less lucrative, but it won't stop it. If I ring you up and ask you to read a document on your pc because I'm not at my desk... Education is the only response to social engineering unless you were planning on bio engineering.

jasonhiner
jasonhiner

Sounds like an powerful strategy. I'd be interested to hear more about how you manage such a complex security strategy and what the biggest challenges are. If you'd prefer not to post it publicly, feel free to click "Send message" in my signature to send me a private message.

Tony Hopkinson
Tony Hopkinson

eny all, allow some. The difference between security and trust. So in the interests off not appearing to soft and chewy myself. Presumably this rock has got some moss on it, so requests for authorisation can be made? The key for this has always been who can make that decision, how quickly it can be granted and how much resource needs to be spent to do so. It's the difficulties in these regards that have left us where we are now. Allow all, deny known bad guys. Easily identified by the fact the last time 'you' allowed them in they were bad.

jk2001
jk2001

The definition of "perimiter" changes over time, leaving the existing technology deficient, and requiring new techniques. Around a decade ago, for app programmers, the web made traditional security models, built around trusted "logins" and "sessions" obsolete. You could no longer trust that a unit of data, known as a variable, could be trusted, even if it came down the authorized pathways. If your code got a string of data, you had to check its security. To effect this, a technique was used that would tag every piece of incoming data as "untrusted". The application would have to inspect the data, and see that it conformed to some rules, to remove the tag. In the JavaScript environment, this tag can't even be removed by the code. Manual intervention by the user is required. Similarly, DRM-like techniques are used in MS's "Authenticode" system, that pops up those dialog boxes asking you if you want to install some code. The logical direction (or ridiculous end) for all this - outgoing data will be similarly tagged. At first, it'll probably be at the "volume" level, where an entire disk is encrypted. Some thumbdrives already do this. Later, individual files will be encrypted. Data being copied between some devices should be scanned for malware. Getting to that point, however, will take a long time, because there's a lot of legacy code and legacy systems. Old DOS and Windows systems will need firewalls to compensate for their inherent lack of security. Old apps using legacy security will need to run on virtual machines for the same reasons. We'll also face cultural and political issues, because these technologies will also affect the movement of personal data across boundaries.

Tony Hopkinson
Tony Hopkinson

Maginot line. :D To carry on the military analogy, don't forget your six, well nine in Belgium's case.

catseverywhere
catseverywhere

Jason is right about one thing: no solution has ever been a silver bullet, all-in-one do it all app or device. And current trends are running rapidly away from such a wishful concept. But you have to consider many factors to answer the main question, especially the size of the enterprise. I think smaller organizations with less layers between IT and owner/operators are a better bet to move in the right direction vis any security consideration. Then there's the user factor, I agree with the previous comment that user education is key, perhaps the most important. Again, the smaller the enterprise, the more likely security concerns will be addressed more appropriately by individual users. (plus it's easier to reach 'em all) I think the gist of this article was that you need both the mote and the armor, but that the heavier attention should now be applied toward the armor, as obviated by the explosion of the factors mentioned, which erode the network as a true perimeter. I deal with numerous small enterprises, rather than one big, complex system. I think I am in a better position to be listened to and in having my recommendations implemented, I have greater latitude than you all who reside in a different state than the CEO, have multiple remote locations, etc. Like I say, this is a tough subject, too many factors for a "one size fits all" solution/answer. Great article, Jason, ya got me and the crew here really thinking this morning. cat

Tony Hopkinson
Tony Hopkinson

Give me a break. Throw away the lan, how am I connecting to the internet then, dial up? Where's my data ? Security isn't just authorisation, are they guaranteeing me access no matter what. I hope you don't work for them, because your post just made sure I wouldn't go near them if they paid me. Magic wands are for granting wishes.

Scott
Scott

Re: "Protection of incoming data and distrust of outside data is a logical new dimension to the same calculus. One of the most important things I was taught early on with respect to data integration is to treat all inputs from external systems as garbage. Never assume that it is accurate, safe, or properly formatted. Check and double-check it before accepting it. I just mentioned in another post that too many net admins don't know how to secure "applications" (web server, db server, etc.). Let me also say that too many software developers don't know how to (or don't take the time to) protect the data INSIDE the database. For example, is it "overkill" to encrypt a SSN or credit card number inside the database? The database is already "secure", right? Why encrypt specific fields?

Tony Hopkinson
Tony Hopkinson

We have been and are in the world of trusted computing. Trust is not security, can't ever be security when the people in control of who is to be trusted are the ones who want (need !) to be trusted. Until the authorisation model shifts to deny all and allow some, no one will get anywhere at all, no matter how many times they redefine the word perimeter.

jasonhiner
jasonhiner

"Far too many installations have been too trusting for far too long that a secure perimeter solves the problem." That's the crux of what my article was getting at.

rw
rw

I didn't ever say throw out the firewall. But this granular level of access if VPN is involved the client machine is "part of the network" of some sort. So machines once in can be used to snoop the network unless complex prevention is put in place. Or if the SSL app is out that means presentation system presented to the outside, Giant hack me factor. As far as data level goes i have implemented systems where basic user data can be quite a lot of interconnecting MB of info. Which needs complex client software to present it in its correct form. how costly is the client machine? and How much encrypting sending and decrypting goes on?

n_egii
n_egii

Of course education must one of the major approaches against Social Engineering, but fo you realy think that only education is enough? I think it is not. We always depended on technology, and we also use it against social engineering. Machine learning and AI techniques together with u-devices might work great for preventing certain forms of social engineering.

jasonhiner
jasonhiner

I like your summary of the three issues involved when you move to a deny all - allow some model. I've tweaked the ones you listed: 1.) Who decides and what criteria are used? 2.) How quickly can it be granted (so that it doesn't hinder productivity of valid users)? 3.) What are the resources it takes to manage it? Does that hit the mark?

Tony Hopkinson
Tony Hopkinson

changed I'm not so sure of. Pre internet, most security was physical. Password protection and encryption were back stops to that failing or when impossible to enforce. This has never been not true. The only thing that changed was the number of people who 'could walk into the office', or perhaps sneak into it. So why haven't we always secured the data? They couldn't sell us anything that would do it without having a serious impact on us using our data. Always look a vendor in the mouth, after you've made sure you are at the correct end. It would be interesting to see how much work it would be to maintain and operate a reasonable sized organisation where all data was encrypted. It would have to be all otherwise we are back to allow all, deny some, which we know doesn't cope with change.

TBBrick
TBBrick

Dude, a multi-layered defense system does not always produce a Maginot line. The problem the French had was they were used a defensive system that was successful in WWI in WWII. Whatever you call your defensive system, it better keep up with the strategies/tactics of the current enemy, not the one from the last war.

jasonhiner
jasonhiner

And yes, both the mote and the armor are needed, but the armor is becoming much more critical because there are a lot more soldiers running around outside the mote than there used to be. Okay, I just took that metaphor too far.

rw
rw

If a laptop checked once and given access to VPN gets compromised then it is a werewolf. a monster in the guise of a valid network node. Nodeless the machine never sees your network hence werewolfs food supply if cut off! If you built a segmented LAN separating clients and servers. Clients NEVER log onto the server network. In Office access to data like always, fast local LAN but only through a explicitly adopted system fully encrypted and 2 factor built in. Access no matter what? How about if your laptop is torn apart by the werewolf. No data on the device...no loss. Let them take it! G/On can be all placed on a USB device. 2 factor/encrypted etc like the original. Get a new machine from local store, with any sort of internet connection. (wise to have some sort of firewall and AV) plug in the key and back in business. No new builds, policy, vetting by IT security, compatibility with software. Plug in and back to work. Key can be tied to a user, and PC, and local network environment, and network device. So you could simply handover a key and username and password to a hacker (tested and proven by auditors deloitte)... & still no joy to the unauthorised! Zoneing on the product can be set so even if they did get in on an untrusted device. they would gat a basic (uneditable) menu. Show log, about and exit. Not a lot can be done with that. Better still the software is a simple download and run. Once clarified by IT, who have to just click a menu item or two, your access to your data is there, with all the abilities to tie that machine, enviromnment etc to a user. Dial up speed who cares push basic thin client or citrix menu item to the client. Maybe a dangerous chemical handling approach is needed for sensitive info. Chemist puts there hands though gloves though a screen and never have actual contact. Don't want your data compromised...don't let it out the building!

Absolutely
Absolutely

My take on this topic is similar to yours. I don't believe the introduction of a couple new types of devices represents a sea change in IT security. An optical disk is as good as a SmartPhone for an authorized user who wants to steal data. As jk2001 explained to me below, the perimeter has changed. I don't dispute that the perimeter now includes a larger number of portable data devices, because people like to use portable phones & mp3 players. But, the general definition of a perimeter has not changed. The basis of information security still is use of credentials to establish authorized access, and encryption to thwart unauthorized users from using what they capture. I'm going to make a new Project in my Workspace now -- oops, that's My Workspace -- called 'It is NOT the end of the world as we know it'. I see that theme a lot in IT, and it's usually bollocks. I think that Project will grow very quickly! :D

Tony Hopkinson
Tony Hopkinson

Application and data integrity for software has been in the 'nice to have category' for a long time. If it gives you a marketing advantage and it won't eat too much into the profits (this means not at all usually) then we are allowed to spend the necessary resource to do it. Whether that's getting people who understand the issues, or allowing the ones you have to implement them. Then there's the whole legacy issue. This sort of thing needs to be at the forefront of design from day one. Retro-fitting it is usually a cost negative. Partially doing it merely highlights those places where you haven't. Acessibilty is the inverse of security, asking a business head whether you should spend your limited resources making a product more accessible or more secure has been a waste of breath for decades. I do agree that it's not being taught right though. A simple for instance would be a SQL injection attack, parameterised queries pretty much kill that, but they go in the nice to have category in education. So now the emphasis is changing, but as an industry we aren't geared up to cope with it. That's at the 'bottom' in application design and at the top in terms of what we are tasked with designing. To be honest, I'd have to do a refresher on this, so would the QA people to make sure it took. The BA's to make sure they asked for doable and my managers to police it. Not an excuse for all the insecure stuff I've designed over the years, but definitely a reason. Twenty years of compromise up to press, and to be honest, I can't see that changing much before I retire. Here's hoping though, it would be nice to be allowed to do it 'right' for once.

RU_Trustified
RU_Trustified

You are right that deny-by default lends itself well to the model of deperimeterization. A truly trusted system protects systems and data from even the system administrator.

paredown
paredown

Those in the university IT world who are unable to secure their perimeters have known for a long time that data security, strong passwords, user education etc are key...

rw
rw

Hmmm, yep got that too. deny by default is the only way to go but my point is when access is granted what can a client see? Kernal level policy enforcement is a deep worm hole. How much of the security policy has to be locked down and what happens to the freedom of the client. Does the machine become part of the network? Can a user use there home PC with all the kids games etc sitting on it? Or do you have to buy or take "ownership" of the client. What if you could have any old Pc connect. No enforcment on the client but FULLY secure access and no trace on the client PC. basicall connect in whatever way works for you. Doon't care about your own skype, halflife installs. Your access is only granted specifically though me and the client machine is not ever part of the network. Bang goes the Poilcy requirements and zero conversion costs

RU_Trustified
RU_Trustified

When you look at the whole security model it is much simpler and much more intuitive for managing business data flows, because it keys on user access post-authentication. When you have deny by default in an environment a whole lot of network traffic and noise just goes away. The logging you have left if specific and useful, based on data access and system transactions. Finally, the value of a kernel level policy enforcer is huge. You are not monitoring for infractions after the fact in order to deal with remedation and clean-up. The cost of conversion varies, depending on what it is you are trying to protect and your IT infrastructure etc.. The cost is not cheap but always less then damage control and breach recovery.

rw
rw

how much is a "conversion"? Not all cclient level systems are costly. Do you have to ensure the integrity of the client machine? "Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius and a lot of courage to move in the opposite direction." Albert Einstein

RU_Trustified
RU_Trustified

The prevention is comprehensive but not complex to use. We convert commercial systems to trusted, deny-by default systems, thus avoid costly add-ons at client level. Compatible with all standard encryptions but uses kernel level domain separation and enforcement of digital data separation and thus protects data in use without need for constant encryption and decryption.

Tony Hopkinson
Tony Hopkinson

Hi it's n_eggi from IT, I'm just trying improve the performamce of the network by checking everyone has an oojah in their thingamabob connected to a whatisname. As managing director you have aaccess to secret folder X , could you please open a document in there and read out my social security Number. Yes that's right, thank you very much. Not talking fly-by downloads from www.pornsite.com here.

RU_Trustified
RU_Trustified

1) Who decides and what criteria are used? Ideally, it should be the group permissions manager AND the security officer (dual key control). The criteria should base on least privilege and role based access for each user to perform his function. For example, there is no reason for IT staff or engineers to be able to access accounting or human resource data. Typically once users are post-authorization, they can access anything , so are any criteria being used now? 2) How quickly can it be granted (so that it doesn't hinder productivity of valid users)? If properly set up and based on business data flows, there is no need to hinder productivity. Blocking USB ports all the time blocks productivity; preventing their use with sensitive documents prevents unauthorized access or use of valuable corporate data. 3) What are the resources it takes to manage it? A well designed product should take fewer resources than any other alternative, and will reduce unauthorized rogue activity and traffic on the network, as well as keeping valueable enterprise data in-house. What are the resources that are spent NOT doing deny by default?

rclark
rclark

From what I've read, most of the ID10T messages will be answered once then not bother us again. But swapping IP's and granting access rights, turning on/off the firewall, changing defender....etc.... Those will probably still be there.

Tony Hopkinson
Tony Hopkinson

I know what you are saying I had to swap to a static IP and back to dynamic twice yesterday. So four confirmations :) I see authorisation / persistance of UAC as something that sits on top of it, instead of a replacement, ie if could field UAC requests for you. The iffy part where they might have to tweak, is a good few of UAC's alerts could easily be considered specific to the hardware you are using and or the logon.

rclark
rclark

What we really need is a proximity card that can't be stolen, or if stolen, doesn't work. Perhaps some embedded tech like the rf pet tag that dies if it is removed from the body, or maybe a dna scanner that will verify the user is alive and well at the same time to keep someone from cutting off a finger. Once we get non refutable identity, we can answer the question once and the system can save the answer. Then UAC would work. The are you sure thing is actually my main gripe with UAC. I already told you twice, and now you are asking me am I sure?

CG IT
CG IT

how quickly can it be granted and most importantly what resources [labor] does it take to manage it? if it takes 1 guy to manage security, nope to expensive, find another way. Maybe an appliance or better yet, loosen the security requirements so we don't have to spend $$ managing tighter security. Maybe a software program?

Tony Hopkinson
Tony Hopkinson

Worse still I'm from Yorkshire. :D I can think of a few improvements, both in the UI and under the hood, but as an idea, it's the sort of thing I've been begging for on the windows security front for decades. It's the biggest step MS has ever took towards a secure windows OS, I can do little else put applaud and hopefully encourage them to take the next ones.

jasonhiner
jasonhiner

That's the very first time I've seen that, from anyone. :-)

Tony Hopkinson
Tony Hopkinson

firewall will do. X want's to talk to Y X wants to talk to Z X is now X.1 , do you still want it to talk to Y & Z Course until you are asked and save the answer for every scenario it's a pain. Saving brings it's own problems as well. Are you Sure? can't be made unobtrusive. You can also give the user a severe case of question fatigue, so they start answering yes all the time Still if this stuff was easy anyone could do it.... properly.... I've got UAC on in Vista, never really thought about turning it off, after all my complaining about security in MS products that would make me look like a pratt. I like UAC because it isn't trust.

rclark
rclark

And it had better be fairly easy to use because at that level, it would require authentication every time a file was opened or a process started. Anything other than biotech would cause you to constantly be doing user authentication by passwords or passkey, and both of those are defeated by stolen keys or keyloggers. So a finger print or something like it. Everyone who has tried Vista has experienced to an extent what granular security would be like without biotech. Most turned of the user account control immediately.

Tony Hopkinson
Tony Hopkinson

I still think it should be done and then we find ways to make it more friendly. But unless/until security becomes the prime factor in marketability it's not happening. The legacy issue would be unbelievable, total 180 on the way we do things now.

Tony Hopkinson
Tony Hopkinson

The Maginot line was built after world war one and it was a catastrophic failure in war number two. The Maginot line was yet another silver bullet designed by idiots who underestimated their enemies. You can multi layer whatever you like. If you leave an approach unguarded, you can bet your ass thats exactly where the enemy is going to march. Error on the french part assuming Belgium would always be in friendly hands. Reecnt similar error, Sony are a reputable company. Doesn't matter how many layers you have if the bad guys have a way through them all, or round in the case of the Maginot line. Other than I was in no way disagreeing with you. Dood

Tony Hopkinson
Tony Hopkinson

Look at activeX for instance. Commercial benefits enormous, security... Starts at forget about it and ends with you just disabling it and losing all the commercial 'advantages'.

Editor's Picks