Are human firewalls the enterprise info. sec of the future?

Are human firewalls the enterprise info. sec of the future?

Summary: Gartner is incubating a concept called People Centric Security that loosens controls and relies on end-users to assume responsibilities for protecting IT systems and data.


Las Vegas - Turning responsibility for corporate information security over to end-users seems akin to the inmates running the asylum.

But Tom Scholtz and his colleagues at Gartner are exploring the notion that the people using IT systems and corporate data are perhaps the best ones to guard them.  

He calls it People Centric Security (PCS), and, yes, the notion raises a lot of eyebrows in information security circles. Gartner is exploring the possibilities of PCS as part of its Maverick idea incubator, and Scholtz presented the work this week at the annual Gartner Identity and Access Management conference.

The thinking goes like this: empower users with responsibility for systems and data important to their work, sprinkle in consequences for breaching that responsibility and users will do the right things to secure their environment.

"The current approach in developing policies and controls doesn't scale to current realities," Schotlz said. That reality is the convergence of social, mobile, cloud and big data and the changes it brings to enterprise computing. The forces are eroding corporate boundaries and controls in many areas long thought to be state-of-the-art defenses.

"In this brave new world, what we do as security people is viewed as negative. We are the people who slow things down," he said. Scholtz, however, is not advocating losing all controls and policies only loosening them.

He says taking away controls on data and replacing them with new user-based responsibilities, principles and rights may just improve end-user focus and produce a more managed and secure environment.

The PCS goal is to implement a "trust space."

Concepts surrounding "mutual trust" are not new, they have been used in traffic planning, Europe's Schengen Agreement, open source and even cloud computing, where companies trust that large providers will protect their data as part and parcel of protecting their own valuable brands.

Such an environment "makes it easier to monitor for exceptions, the good people are not trying to circumvent the controls," says Scholtz.

Scholtz argues current information security policies and tools grind on productivity. He says the relationship between IT, the business, and workers has transformed and necessitates change in regard to information security.

"One of realties in the current approach to information security is we treat the 95% of people that want to do the right thing, we treat them like the bad people in order to protect against the bad things done by the 5% of people who have bad intentions," said Scholtz. "We treat them like children, and if you treat people like children, they will act like children."

Scholtz knows PCS is not for everyone and that implementation requires cultural and educational challenges.

"Maybe we could develop a situation where we have a set of underlying principals that underpin how people use data and how they access systems, and we link those with specific individual responsibilities," said Scholtz. "Maybe we get a more collaborative and social environment."

There are specific requirements if PCS is to prosper -- the process has to be top down and there has to be effective punishments for those that abuse their rights.

Scholtz admits his concepts are in the embryonic stage, but that they will evolve in the coming months as he works with select enterprises. He noted that a European bank and a U.S.-based agricultural business are already adopting PCS concepts.

By 2014, Gartner predicts 25% of large enterprises will have dedicated information security staff and budget to implement social, cultural and behavioral change.

"We cannot forget about the bad guys outside our enterprise; we do not get rid of all our defenses," he said.

How crazy do you think the PCS concept is? Can it work? Why might it fail?

Topics: Security, Networking, Enterprise 2.0


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yeah

    Not crazy at all.

    I have always promoted idea security of being responsibility of IT administration and good security demands that every user is denied from access and features what they do not need.

    Example: Some features what are allowed are workstation/account personalization meaning they can change wallpaper, remove and add wanted icons on desktop and menu. But they can not install any software, every application what they run, needs to be authenticated through IT administration. Every application is limited to store files to only very specific directories and only to read from very specific directories.

    Every workstation/account has whitelisted WWW sites and even IP addresses where they can connected. From every connection is log kept on for later usage. Every physical network socket is authenticated and secured digitally so no one can attach any kind network device without authentication and request. Wireless connections are limited for very specific areas where only needed.

    For all kind personal usage, only a specific computers are allowed to be used and they are kept on separated network physically and their usage time is limited to specific times when people have lunch and even they demand own user account (what needs to be requested). Every account is wiped after log out so you can not have anything stored to computers. And use time of those is limited to lunch and two 15 minute break or what company wants.

    Every digital I/O port in corporation computers is denied if not asked permission and even then data and devices what are allowed to be used needs to be authenticate through IT administration. So if you want to have a USB stick, then you get a own authenticated personal stick from IT department what is encrypted and build with specific directories where only you can write and from where you can read with applications you specifically request.

    Every request what you ask, goes trough workers closest boss, what needs to verify every specific function what worker needs. Boss takes responsibility of what worker needs as boss needs to be knowing everything what workers does in company.

    In few weeks/one month, the amount of requests and authentications drops dramatically as every important and actually needed feature is allowed. Workers can then work without thinking security as it is already done. The problem just is that some people have hard time to understand that they can not any more connect their iPod or iPhone to computer to buy some new music from iTunes or shop presents and latest products from ebay at work time or even open facebook site or even browser if not needed for work.

    Part of these security features are all kind physical rings of security. Starting as well from personal keys to inside company, ID cards with NFC or RDF tags what are tracked inside building. Every duplication usage same time in company is notified and denied access. In situations like example where suddenly a person who have logged out of the building 2 hours ago, would suddenly be trying to open door inside building. In those cases, security personals comes to check what is happening with ID information of person who suppose to be there. There are cameras in every corridor and floor and access door. And closer you get to company secure areas like R&D, IT administration etc, more physical security there are. From doors, security points, security guards etc. All kind security functions under AI controls as well, like worker is not allowed to work overtime without boss specific request from IT administration and security department. Worker can not log in secure areas or workstation outside of typical worktime as AI will detect it as intrusion.
    • not to mention

      ... that the old security paradigm of hashing, SALT's, certificates and other transitory measures are being attacked and exploited at an ever increasing rate.

      AKH has just written on this:

      Granted, it's only one dimension of integrated systems security, it does raise the question the author does well to highlight: are the machines better at stopping these attack vectors than a trained individual (e.g. network admin' with long experience at all levels of network and systems security)?

      In many cases, yes: the security mechanisms to a very good job. In other cases, you simply cannot replace a sentient, highly intelligent and knowledgeable individual such as a network / sys' admin.

      PCS has obviously got it's upsides and downsides .. what holistic management system doesn't? The concept of putting a pair of highly trained eyes (or more than one pair) on the actual running systems, as a security measure in an of itself, makes perfect sense to me. It's by no means a new concept, but the way in which PCS put the onus back on a person is critical: a computer can be hacked and got at, behind the scenes - a human, so long as they have the advanced knowledge, work ethic and integrity via a proven work record - can't be duped. Monitoring system critical processes then makes PCS a brilliant approach to systems monitoring and security.

      But i can't agree with your last paragraph: i think there is way too much investment in AI security measures. If they're as good as you proclaim, then why have so many org's, enterprises, institutions and govt agencies been hacked to bits with these said "secure areas". To reiterate, an highly trained Admin' can at least tell by monitoring logs, etc, and activity of the network and know how to kill an active threat or shutdown parts of a network under active attack.

      The supposed security we entrusted to computers are the Achille's heel of the whole, failed systems security paradigm over the last 25-40 years.

      In the field of networked and systems security management, it's time for a massive change in approach: PCS is definitely a big step in the right direction.
      • yeah

        For the last paragraph, I dont like to use AI so much as such doesnt really exist but some people fins it "trusthworthy".

        after all it is about social engineering but reversed for workers to add new security layer for company. People have habits what rarely change. like.where you park you car, what route you take to rest room, when do you leave from work and so on. if data is collected how workers move etc, there can be pin pointed security risks like totally randomly moving ones or what have very strict habits. for those, security can be boosted even more.

        the idea on these is that we can nor have a single security method. Likke just VPN + GPG disk encryption. We need more variation and very strict limitations.... it isnvery hard to design and in long run it demands those are changed randomly like every 1-2 month people habits are broken by rotating where they have car parking slot. or where the coffee machine is. even for some people where their work station is.

        And I would argue that by changing locations and routes, typical social engineerings become obsolete because the data isnt reliable whatbis collected. like if a every morning a worker parking slot is randomly chosen by computer so user use different entrance to building, different elevator and stairs aand so on. It is possible to do with technology. Like user own smartphone gets information when they get closer to work. Smartphone tells what route to take etc.

        and of course there are the company side security systems like the mapping system separated physically and digitally from entrence system and login system etc.

        But is important to remember, technology is easier to counter that aware human what has not custom to same habits and doesnt recognize anything else than odd behavior.

        and of course it is hard to make these on all companies because their locations and buildings and size etc.

        the idea is very old, have a three separated keys to unlock treasure. have a puzzle, key itself and personal answer and it becomes.harder enough to tighten security against robbers enough.
  • Forget the Seat Belt - Just Hold On! (So - let's blame the victim!)

    In a seminal paper some 40 years ago the point was made that for anyone, such as an end user, to be able to enforce and manage security he or she has to have the knowledge to understand, configure, control and manage any complex technology and artifact that he or she uses. This is NOT the situation today. Akerlof pointed this out over 40 years ago in the seminal paper "The Market for Lemons: Quality Uncertainty and the Market Mechanism". The information situation is wildly asymmetrical in the ICT area from the normal end-user perspective. (See URL )

    Remember - even longer ago - during the days of Ralph Nader and "Unsafe at Any Speed" one proposition put forward by an industry rep was to teach kids to respond fast in an emergency in the car - he called it the "hands" cry - or "kids hold on, accident coming!" Much cheaper than installing seat belts! Effective - well....NO!

    PCS assumes equal knowledge at the attacker and defendant levels - and this is simply NOT the case with current hardware / software products. An end-user may not even perceive the injection of a stealthy root-kit or the like into current commercial off-the-shelf products. They have no idea about DNS cache poisoning and trust the network. Now, if the IT industry offered hardened products FIRST then there may be something in this argument BUT as it stands, Ralph Nader said it all many years ago. (See URL )

    The responsibility lies with the ICT industry to provide products and systems that are understandable and easily managed by the end-user and that may imply STRONG LEGISLATIVE action on the industry to produce products that are "fit for purpose". There is ABSOLUTELY NO EVIDENCE that the ICT industry has voluntarily produced safe and secure products fit for the environment in which they are now used. We have TOTAL MARKET FAILURE in this area. AND - when this is obvious, it is the role and responsibility of government to step in!

    We have to stop blaming the victim and start blaming and correcting the industry FIRST!
    PCS is just a diversion that reinforces that in an age when legislated security appears just politically "off the agenda", for many unknown reasons, it's easier and cheaper to cry "hands" and "hold-on". (It's not in most other industries, e.g. try the FDA, etc.)

    It is about time that politicians took their responsibilities much more seriously in their role to protect their constituents and the nation - FIRST - industry - second!
    • Fit for purpose

      It sounds great. The problem is the asymmetry of knowledge again. To make "safe" software implies the equation between defender and attacker is equal--and it isn't.

      To make software safe the defender must forsee every single attack vector and miss NOTHING. The attacker only needs ONE.

      This is an unwinnable fight. Can software be better? Absolutely. Can it be perfect? No. And until it can be perfect it will never be "fit to purpose".

      I'm a developer. I know any trivial piece of software can have thousands of execution paths, any one of which might (given other unforseen circumstances elsewhere in the system) be a way to compromise the actions of the system.

      It's an arms race. Every time a class of vulnerability is locked down (a *class* of flaw mind you, not a single flaw) the attacker moves on to discover a new class of vulnerability. Or finds a way to sidestep the defenses.

      It's a never ending game. One that politicians are particularly inept at. Unless you specify the death penalty for the kinds of malware development going on today, are *perfect* in your capture of the bad guys, and never make any mistakes and have the state murder (excuse me, "execute") an innocent, then maybe you'll solve the problem with legislation.

      Having said that, having the users try to defend themselves is the most idiotic, near-criminally negligant advice I've ever heard anyone offer about computer security.

      Yes, they should be wary of "instantly become a stud-muffin" and "You can earn BEEELIONS in the stock market" type scam emails. Yes, they should absolutely install a good AV program, and a firewall. Yes, they should leave auto-patching on.

      But still. Expecting the average user to know how to defend themselves is like asking a ten year-old to defend themselves against a hostile nation state...