At Interop Las Vegas, IBM/ISS security strategist Joshua Corman explained seven “dirty secrets” of the security industry. One of his points was the newly common refrain that “there is no perimeter.” What exactly does that mean?
It’s a buzzword
Technically, I guess it’s a buzzphrase. The point is that the phrase, “there is no perimeter” has gained some traction lately. It’s a very popular thing to say in certain circles. It makes you sound cutting-edge and knowledgeable. That’s the great thing about these postmodern-sounding declarations that everybody accepts as a simple fact of reality even though they don’t even exist — they always make you sound cutting-edge and knowledgeable.
Unfortunately, it’s wrong. There is still a perimeter. For the foreseeable future, there will always be a perimeter. The argument that fifty percent of security breaches “don’t go through the firewall” is a bit of handwaving and misdirection, really. What about the other fifty percent? How accurate are these statistics, anyway?
A more reasonable interpretation of such statistics — assuming for the moment they’re even credible — is that the advancement in the state of the art of perimeter security has ensured it is no longer the low-hanging fruit for malicious security crackers. Perimeter breaches for targeted data theft are no longer as easy as they once were. Everyone uses firewalls now, and almost everyone uses network address translation, proxies, and other common perimeter security measures. If you want access to critical data from a specific network, sometimes it’s just easier to go around the network perimeter than to get through it.
That’s not because there’s no value to perimeter security. It’s just because perimeter security has made it more difficult to breach the perimeter than to find a way to avoid it when you need to target something specific.
Don’t neglect your perimeter security. You need it, not only to make things more difficult for the malicious security cracker who has decided to target you for what you have, but also to protect you from automated, opportunistic attacks, mobile replicating malware, and similar threats that don’t much care who they’re targeting, as long as the targets can be breached.
It’s a wake-up call
The truth of the matter is that a secure perimeter isn’t the be-all and end-all of security. It’s important, but it’s not all that’s important. Some of the people throwing about buzzwordy pronouncements like “there is no perimeter” just want to use buzzwordy pronouncements that make them sound cutting-edge and knowledgeable. Others, however, are trying to make an important point:
When you’re working on security, you can’t stop with the network perimeter.
There are at least a couple things you need to think about protecting when you start implementing security measures. One is your information technology resources; you don’t want someone gaining unauthorized access to those resources and misusing them to send spam, host FTP archives of illicit data, or attack other networks. Another, however is information. Information doesn’t color inside the lines. It crosses the perimeter all the time, and a breach in information security outside the perimeter can be just as devastating as inside the perimeter.
Remember that to a significant degree security has to follow your data, and your data doesn’t stay at home. Every time you send an e-mail, visit a Web page, or let someone from outside access a resource on your network (such as by visiting your Web server), you may be sharing information outside your perimeter that needs to be secured.
Furthermore, physical security is something that must be considered in addition to your network perimeter. What data leaves your immediate area of control on USB flash drives, laptops, optical media such as a CD-R, and by other physical means? What can you do to ensure this doesn’t become a security disaster?
These are the sorts of considerations you need to keep in mind when people say there is no perimeter.
It’s badly phrased
The problem, of course, is that there *is* a perimeter, and it’s still important. Claiming there is no perimeter at all is a great way to confuse people and cause them to make incredibly bad decisions about security in the future. A more accurate statement would be that the perimeter is not as clearly defined as it once was. There are other ways to say it: The perimeter follows the data. There’s more than one perimeter now. The perimeter, like the network, is distributed.
These different ways to phrase things may not give the listener as clear an impression of what’s going on than simply saying “there is no perimeter,” but that’s a feature, not a bug — because what’s really happening isn’t actually clear at all. Giving people a clear impression about the complexities facing information technology security is giving them a false impression. Alternatives like “the perimeter follows the data” don’t really explain much, but it gives you a starting point, a perspective from which to think about what’s really going on.
It’s not a solution. There is no solution, yet, and there may never be. The reason “there is no perimeter” is so badly phrased is because it assumes a simple solution of some sort. To misquote an old platitude, security isn’t a destination: it’s a journey.
It’s not the answer
The reason the phrase “there is no perimeter” is so popular, I think, is that people like to be told pithy things that make it sound like there’s an easy answer. The underlying assumption is that the guy saying “there is no perimeter” knows the answer, and maybe you should hire him to make sure he can give you that answer. The moment you think there’s a single, final answer, though, you’ve already lost the battle for security.
If there’s an answer at all, it’s this:
Security is a state of mind, not a solution.