'Your borders are porous', IT pros told

Infosecurity 2006: Security professionals overwhelmingly agreed that network border security is becoming an anachronism

Security professionals have been advised to accept that organisations' perimeters are now open, and to start designing future systems architecture to account of this.

In a debate at the Infosecurity conference in London on Wednesday, security experts argued that maintaining security at the boundaries of an organisation had become unworkable, thanks to an increasingly mobile workforce, Internet interaction with customers, partnership programmes between organisations, and third party contractors who work and communicate over the Web.

"As organisations, our perimeters are becoming more and more porous," said Paul Simmonds, global information security director for ICI.

"Hackers target email and Web applications to get into the organisation. We have umpteen people managing our systems — contractors, who themselves sub-contract, probably to India," Simmonds added. "Deperimeterisation has happened whether you like it or not."

Deperimeterisation — where the security emphasis is moved from the edge of the network and onto individual devices, and ultimately to individually encrypted data packets — became a fact for ICI with increasing employee mobility, Simmonds argued.

"ICI has 6,000 laptops roaming around the world. The bottom line is that they are connecting outside of ICI's closed environment," said Simmonds. "This is the industry's dirty little secret — 'You know that expensive firewall I bought last year? Well, it's no longer enough.'"

Nick Bleech, IT security director for Rolls Royce, said security professionals should not drop their current perimeters, but instead should plan for the future.

"This is about the next five to 10 years. From an architectural perspective we have to start thinking away from the perimeterised paradigm," said Bleech.

Both Simmonds and Bleech are members of the Jericho Forum, a group of blue-chip companies which advocates security through deperimeterisation and open standards. BP, another member, is putting its laptops directly onto the Internet rather than its local area network.

On the other side of the debate, Mark Waghorne, principal adviser for KPMG, argued that in fact there was no such thing as deperimeterisation, and that instead organisations should redefine their boundaries.

"If anything, the world is heading towards reperimeterisation. You have to look at how you manage your assets. To suggest the only sensible architecture needs to be built on the deperimeterised paradigm is irresponsible. Would you put your trading, or process control network on the Internet?" said Waghorne.

Bleech replied that organisations' supervisory control and data acquisition systems (SCADAs) are already vulnerable to attack because they were linked to Web-facing business systems.

"The reality is SCADA systems have 12 different business systems feeding into them," said Bleech.

Dan Blum, senior vice president and research director for Burton Group, disagreed, and said that deperimeterisation was not an architecture, but rather a process.

"In many cases we're being forced to deal with a sub-optimal situation," said Blum. He recommended perimeterising "zones of trust" for the enterprise.

"We have a restricted zone for the backend, a protected business zone, and an outer zone allowing access to the Net. These perimeters are maintained by dedicated firewalls. You can control data flow and use between the different zones," said Blum.

The debate ended with a vote from the audience of security professionals, who overwhelmingly agreed that responsible security architecture should be based on deperimeterisation.

Other organisations have also accepted that they need to structure their systems to account for the erosion of traditional boundaries. Richard Cross, information security officer for Toyota Europe, told ZDNet UK in February that the car giant was working towards deperimeterisation.

"Deperimeterisation has already happened. It's a fact of life, so deal with it," said Cross. "You need technical and procedural security, and overlapping defences, but the furthest extent of the network perimeter is the head of your employee — it's your people," Cross added.