Most senior IT executives at large organisations think they have security pretty much sewn up. Take the 40 high-level corporate security representatives at Axis Forum, the invitation-only gathering organised by authentication vendor RSA Security in Barcelona in November 2004. Two thirds believed they had the problem of viruses, hackers and unauthorised access well under control and security built tightly into all their key business processes.
But would their counterparts elsewhere in the business agree? Some of these colleagues are now complaining that security is getting in the way of the business's activities and that IT's next challenge is – having locked out the bad guys – to let in the good.
Any such notion demands a shift in current thinking. Instead of blocking threats at the perimeter, organisations need to evolve towards a ‘perimeterless' security structure that is less across-the-board and more granular in its application. In such a set-up, technologies such as federated identity management and web services play a key part in allowing discrete business units or groups of users, and their authorised partners, to interact without the impediment of traditionally-drawn security boundaries.
The old perimeter-based approach to security is already dissolving. The increased use of mobile devices, remote working or even hot-desking has meant it is no longer possible to clearly define – and therefore secure – an organisation's boundaries. Furthermore, existing security precautions are obstructing the business at many turns, whether by forcing users to remember a set of new passwords every few months, preventing the adoption of user-friendly (but not security-friendly) applications or hindering attempts to give external third parties access to specified parts of internal systems.
Leading much of the radical thinking in this area is the Jericho Forum, a ‘super-user group' made up of CIOs and CSOs (chief security officers) from large UK and multinational companies such as Royal Mail, ICI and BP. "If we didn't have a border we could do business direct from one company to another," says Paul Simmonds, ICI's security chief. "The Jericho Forum is all about looking at operating without a hardened perimeter."
It is pressing IT security product vendors to establish better product interoperability and develop technologies that are necessary for enabling "secure, boundary-less information flows across organisations."
"The end state is going to be an environment where we would be fairly close to seamless interoperability of security information between services, [with] the ability to pass things like authentication and authorisation information over space and time, independent of physical location," says Tom Scholtz, a security analyst with the Meta Group. The data that makes up each communication will actually verify its own integrity, he says.
Many vendors struggle to articulate how their products fit into this perimeterless vision (see box). They are partly constrained by a paucity of standards – though this itself is due to a lack of cooperation. Check Point has done valuable work in this area through its OPSEC standards initiative, but product VP Dorit Dor says that standards cannot evolve in a vacuum.
"First you have to do something [proprietary] that works. Having already experienced it in practice, you then know what you want to achieve, making it is easier to define the standard," she says. "If you start by defining the standard, then you just go through thousands of meaningless [standards body] meetings at which nothing gets decided." Standards will always lag behind technology by a few years. But while vendors deliberate on which approaches will evolve into standards, what can IT departments do to apply the Jericho Forum's principles?
Of course, there would be no need for such thinking if the perimeter was actually fixed. "The idea of an electronic perimeter works fine when the IT infrastructure is 100% within the control of the organisation using it. This is seldom actually the case," says Mike Small, director of security strategy at systems management software vendor Computer Associates. "The construction of a strong network defence around the ‘perimeter' has been used to excuse the lack of protection internally." This is the so-called ‘hard shell, soft centre' approach to IT security: defences are strengthend to combat external threats, but once those bulkheads have been breached the organisation is utterly compromised.
At the same time, over-enthusiastic security managers can make controls more obstructive than they need be. "Many security guys still have the mindset that if you do security, you must do it 100% otherwise you shouldn't bother," says Scholtz. "The emphasis should be on acceptable risk, realising that if there's no risk there's no return and no business – the essence of capitalism."
This challenge is inextricably linked to an overall lack of faith in IT's contribution to the business in general. That renowned business/IT divide is perhaps greater in security than anywhere else.
"IT has been kept out of the boardroom because it did not fulfil the aspirations of the business: projects come in late and IT is seen as a show-stopper, slowing down the business," says Bart De Maertelaere, head of security services for EMEA at IT services provider Unisys. "Senior executives are fed up and bored with hearing doomsday security scenarios. They want a positive face and a realistic approach."
That approach involves adopting a business-orientated security mindset, one that is focused on service availability. De Maertelaere suggests that this actually might provide the basis of IT's rehabilitation within the business. "The opportunity for security to enable the business will allow IT back into the boardroom," he says. "Business people will re-respect IT people."
Model break down
With that prospect in mind, IT management in certain sectors are embracing the idea of deperimeterisation with some enthusiasm. Alongside pharmaceuticals and healthcare, the insurance sector is one industry cited as having already benefited from deperimeterisation. One Unisys customer, for example, has 40 alliances with companies that offer complementary products. But when the insurance company's agents wanted to pull in quotes, they were faced with 40 separate log-ins. The system was so complicated that it actually started to have an impact on staff retention. De Maertelaere says that alleviating that through the introduction of a single sign-on system has since "boomed the business dramatically", giving greater access to saleable material and so increasing the upselling potential.
Analysts from Meta Group note that the insurance industry is also a relatively early adopter of web services, as companies seek to share business functions. The technology allows businesses to take the benefits of the Internet one step further, with seamless business-to-business communications, says Scholtz. "Web services will break down the old security models and make deperimeterisation a reality."
But web services pose a problem for traditional firewalls: SSL encryption allows them to pass through unchallenged. Also, many application-to-application web services sit on top of the web stack, so rather than using individually allocated ports, everything is sent via web ports, which firewalls do not usually control. Indeed one of the original drivers for web services was the difficulty that firewalls create when protecting traditional applications. "When firewall administrators look at web services, they almost think it's some sort of conspiracy designed to get round everything they've put in place," says Mark O'Neill, CTO of Vordel, a web services security provider.
O'Neill notes that most web services deployments remain within closed user groups, rather than shared across the public Internet. As such, with few organisations willing to ‘rip and replace' existing security arrangements, deperimeterisation remains a longer-term vision, especially as its current incarnation looks more like an enlarged perimeter than a demolished one.
Art Coviello, CEO of RSA Security, believes that uptake of federated identity authentication will start with "communities of interest" such as associated groups in the travel or financial services industries, before widening to encompass varying industries. But RSA hopes that with online service provider AOL issuing its premium customers SecurID two-factor authentication tokens, other consumer businesses such as banks might form partnerships that are happy to deal openly with users whose identities have been federated in this way.
However, such communities still need to be segmented internally – not just by company but also by department. "We are seeing organisations taking a more domain-based approach," says Scholtz. "So rather than treating the whole organisation and its partners as one big group that we have to protect, we have to be more granular. We can start breaking it up into logical entities such as business units, application groups or physical locations."
This approach allows for a more nuanced security policy. "Probably one of the biggest downfalls [of perimeter-based security] is that because we're all inside the same perimeter we must all comply with the same security policies and requirements that apply to everyone," says Scholtz. "Taking a more segmented approach helps us move towards a more stratified way in which we do security. It also allows us to become a lot more specific to the requirements of separate entities within the business."
He warns that deperimeterisation is likely to create plenty of new management challenges of its own. One of the stickiest criticisms of the Jericho Forum's ideas is that they will be prove too expensive and complicated to implement. Above all, it is much harder to enforce security policies on those outside the organisation over whom the IT department has no direct control. And adoption of new sets of technologies to manage the security of perimeterless domains will inevitably add complexity – often cited as the enemy of security.
What is clear though is that the current approach of blocking and firefighting has reached a point where it is doing both good and harm to the business. And perhaps that demands that walls need to come down rather than be fortified.