The primary method of corporate computer security over the past three decades has been focused around the network. It’s been about allowing those inside the network to have privileged access to corporate resources and building impenetrable walls to keep outsiders out. Unfortunately, this model is rapidly losing its effectiveness because the borders of networks are becoming much more fluid and dynamic with the advent of VPN, Webmail, push e-mail on smartphones, telecommuters, and a geographically dispersed and mobile workforce.
So far in 2007, I’ve had two highly respected IT security experts try to disabuse me of the notion that network security is even relevant any more. The first was Kris Lamb, Director of X-Force Internet Security Systems for IBM, who brought this up at Interop Las Vegas in May. The other was John Pironti, Chief Information Risk Strategist for Getronics, who told me the same thing when I spoke with him at the Enterprise 2.0 Conference in Boston in June.
“The network boundaries are dissolving.”
— Kris Lamb
Lamb said, “The network boundaries are dissolving. There isn’t a clear distinction between safe and untrusted zones.” He also added that “It’s the illusion of these categories, trusted/untrusted, safe/unsafe” that is leading a lot of companies to a false sense that their IT assets are secure.
Similarly, Pironti said, “The perimeter dissolved a long time ago… There was a false sense of protection. When you take a data-focused approach instead of a technology-focused approach, you realize that as soon as we connected data and interconnected computers via the Internet, the perimeter failed… The day I brought my data outside the mainframe, four walls, and the LAN was the day I lost my perimeter.”
These two security gurus are not in contact, so far as I know. I spoke to one in the Southwestern United States one month and the other in the Northeast the next month. They both gave me roughly the same message: Perimeter security simply doesn’t cut it anymore.
John Pironti giving a presentation on security at the Enterprise 2.0 Conference in Boston in June 2007
So if traditional perimeter security will no longer work, where does that leave us? Lamb and Pironti both pointed in the same direction –> data security.
Pironti said, “Let’s define the new perimeter by thinking about how our data can be impacted, not how our technology can be impacted. That is the biggest challenge. Security professionals still run to the box. It’s still too easy to [just] buy the box… The perimeter is wherever the data is. The perimeter follows the data.”
“The perimeter is wherever the data is.”
— John Pironti
Lamb said, “Data security is a solution that people need to be thinking about… Data is becoming the delivery mechanism of a lot of the real nasty threats that are out there. You’re seeing trusted file formats [DOC, PPT, PDF] used as ways to embed malware and exploits.”
So what’s the difference between perimeter security and data security? Pironti contrasted it as the difference between building a big castle with a mote around it versus building really strong body armor for the knights you send out onto the open battlefield.
But the approach to data security is also about much more than just using different tools to protect smaller targets. There’s also a philosophical and cultural shift as well. “The most important thing that we think people should do is to do a threat vulnerability analysis,” Pironti said. “Let’s look at your data and your business processes, and not [just] your technology. Let’s look at your information infrastructure, which is all of the people, processes, and technology associated with information and data. Now, start looking at that and saying, ‘What are the possibilities in how that data could be compromised? What is the likelihood of that happening and what is the [potential] business impact?’ So you describe all the scenarios and lay out all the possibilities… Once I understand what can happen to me … then I can start talking about what is my vulnerability management plan… What I am going to put in place that will still enable the business to function but protect it from these potential high-threat, high-likelihood situations? That is a process-oriented, business-oriented approach to information security that hasn’t existed in many organizations. It still doesn’t today because it’s too easy to [just buy] the box.”
There was one other area where I got a similar message from both Lamb and Pironti. They both believe that the stakes are higher than ever because many hackers have changed from hobbyists to professionals and because hacking has gotten easier because of the amount of information that is readily available about people, organizations, and systems via the Internet.
“The hacker community is migrating from a notoriety-driven to an organized, profit-driven underground,” said Lamb. “They are really playing on Web 2.0 and the democratization of content and using that as a way to bring their attack to the user.”
Pironti remarked, “The attack community has changed from a very public and well known way of telling people what they did by putting out a [message] letting everyone see how special they are, to a very professional and targeted scenario.”
Many hackers have gone professional by teaming up with organized crime and are now breaking into systems and stealing data for the purposes of blackmail, extortion, and money laundering.
“Google is the ultimate hacking tool.”
— John Pironti
The bad news is that it is easier than ever to do because of the Web. Pironti explained, “Google is the ultimate hacking tool. By far, it is the most effective hacking tool that exists today. Google tells you everything that you want to know about an organization. It tells you everything you want to know about how to attack and compromise different systems… The level of information that exists today has really changed the dynamic.”
The fact that I got such similar information from two different security experts who focus on different aspects of the industry — and the fact that so much of it rings true — prompted me to bring this to the attention of IT pros. I know plenty of organizations that do a nice job of perimeter security but don’t even bother to strictly enforce the use of permissions on file shares, or to fight USB flash drives that can carry unencrypted, unsecured company data. The TJX security breach is an example of what can happen when the IT department gets careless.
I’d recommend that all IT departments consider the kind of threat vulnerability analysis Pironti explained. And, at the very least, start thinking more seriously and holistically about file permissions and data encryption. That way, even intruders who get past perimeter security will have a difficult time doing much damage or stealing any valuable digital assets.
I should also note that I am not recommending that IT departments take down their firewalls — and Lamb and Pironti weren’t saying that either — but that the firewalls and other perimeter security devices should not be the focus of IT security, leaving data security as an afterthought. Rather, the fluid nature of the perimeter means that data security should be the heart of the security strategy, and firewalls and other security devices should be components that help serve that data-centric security strategy.
Perimeter security may not be dead, but the era of perimeter-centric security looks like it could be coming to an end.
How much of an emphasis does your IT department put on data security versus perimeter security? What do you do to secure your data? Join the discussion.