Borderless business

Most senior IT executives at large organisations think they have security pretty much sewn up. Take the 40 high-level corporate security representatives at Axis Forum, the invitation-only gathering organised by authentication vendor RSA Security in Barcelona in November 2004. Two thirds believed they had the problem of viruses, hackers and unauthorised access well under control and security built tightly into all their key business processes.

But would their counterparts elsewhere in the business agree? Some of these colleagues are now complaining that security is getting in the way of the business's activities and that IT's next challenge is – having locked out the bad guys – to let in the good.

Any such notion demands a shift in current thinking. Instead of blocking threats at the perimeter, organisations need to evolve towards a ‘perimeterless' security structure that is less across-the-board and more granular in its application. In such a set-up, technologies such as federated identity management and web services play a key part in allowing discrete business units or groups of users, and their authorised partners, to interact without the impediment of traditionally-drawn security boundaries.

The old perimeter-based approach to security is already dissolving. The increased use of mobile devices, remote working or even hot-desking has meant it is no longer possible to clearly define – and therefore secure – an organisation's boundaries. Furthermore, existing security precautions are obstructing the business at many turns, whether by forcing users to remember a set of new passwords every few months, preventing the adoption of user-friendly (but not security-friendly) applications or hindering attempts to give external third parties access to specified parts of internal systems.

Leading much of the radical thinking in this area is the Jericho Forum, a ‘super-user group' made up of CIOs and CSOs (chief security officers) from large UK and multinational companies such as Royal Mail, ICI and BP. "If we didn't have a border we could do business direct from one company to another," says Paul Simmonds, ICI's security chief. "The Jericho Forum is all about looking at operating without a hardened perimeter."

It is pressing IT security product vendors to establish better product interoperability and develop technologies that are necessary for enabling "secure, boundary-less information flows across organisations."

"The end state is going to be an environment where we would be fairly close to seamless interoperability of security information between services, [with] the ability to pass things like authentication and authorisation information over space and time, independent of physical location," says Tom Scholtz, a security analyst with the Meta Group. The data that makes up each communication will actually verify its own integrity, he says.

Many vendors struggle to articulate how their products fit into this perimeterless vision (see box). They are partly constrained by a paucity of standards – though this itself is due to a lack of cooperation. Check Point has done valuable work in this area through its OPSEC standards initiative, but product VP Dorit Dor says that standards cannot evolve in a vacuum.

"First you have to do something [proprietary] that works. Having already experienced it in practice, you then know what you want to achieve, making it is easier to define the standard," she says. "If you start by defining the standard, then you just go through thousands of meaningless [standards body] meetings at which nothing gets decided." Standards will always lag behind technology by a few years. But while vendors deliberate on which approaches will evolve into standards, what can IT departments do to apply the Jericho Forum's principles?

Weak excuse

Of course, there would be no need for such thinking if the perimeter was actually fixed. "The idea of an electronic perimeter works fine when the IT infrastructure is 100% within the control of the organisation using it. This is seldom actually the case," says Mike Small, director of security strategy at systems management software vendor Computer Associates. "The construction of a strong network defence around the ‘perimeter' has been used to excuse the lack of protection internally." This is the so-called ‘hard shell, soft centre' approach to IT security: defences are strengthend to combat external threats, but once those bulkheads have been breached the organisation is utterly compromised.

At the same time, over-enthusiastic security managers can make controls more obstructive than they need be. "Many security guys still have the mindset that if you do security, you must do it 100% otherwise you shouldn't bother," says Scholtz. "The emphasis should be on acceptable risk, realising that if there's no risk there's no return and no business – the essence of capitalism."


The technologies of deperimeterisation

A common complaint of most IT systems is that they were not designed with security in mind. XML and web services have an advantage in this, thanks to (consolidating) standards and the fact that they can be encrypted, signed and time-stamped, all of which moves security to the data level.

Although very few organisations are attempting to implement data-level security, identity management technology is already allowing security to be applied at an individual or role level, while single sign-on takes away much of the pain of dealing with multiple and changing passwords. Offerings from companies such as RSA, IBM, Netegrity and Novell ensure users within and outside the organisation can enter the network under pre-defined access rights: they get to the information relevant to them and nothing else.

An associated benefit of identity management is its ability to provide an audit trail of users' access (and attempted access) – a common compliance requirement. Although the current regulatory environment may seem to run against the notion of opening up systems to outsiders, the more granular approach to security that accompanies deperimeterisation can mean security events are more easily tracked.

Deploying security at the end point is already an element of many security policies but having to apply that to external third parties can be difficult to manage and support. Experts say a clientless approach can alleviate the architectural challenges. "Instead of enforcing your whole security policy, it validates what your security clearances are," says Dorit Dor, Check Point's VP for products.

Tailor-made security products are being developed that allow location-based security policies to be applied across multiple applications. This helps overcome the problems of bringing technologies designed for external use into the organisation, or vice versa.

Employees' mobile devices can be secured by network quarantine products. If a laptop tries to connect to the network without the necessary security measures, networks are protected, while users are given all possible help to enable them to comply with security requirements. Forrester says Cisco's acquisition of Perfigo and its ‘CleanMachines' technology gives it an edge in this market, though Check Point and Sygate also provide products in this area. Similarly, deploying containment technology, should the organisation's defences be breached, is a more realistic approach to security than aiming for 100% lockdown.

Analysts also support vendors' recommendations that users should buy an integrated security suite from the same source, rather than a hotchpotch of point products. Consolidation in the market has made this a viable, and necessary option, at least until there are improvements in vendors' interoperability, which the Jericho Forum hopes to hasten.



This challenge is inextricably linked to an overall lack of faith in IT's contribution to the business in general. That renowned business/IT divide is perhaps greater in security than anywhere else.

"IT has been kept out of the boardroom because it did not fulfil the aspirations of the business: projects come in late and IT is seen as a show-stopper, slowing down the business," says Bart De Maertelaere, head of security services for EMEA at IT services provider Unisys. "Senior executives are fed up and bored with hearing doomsday security scenarios. They want a positive face and a realistic approach."

That approach involves adopting a business-orientated security mindset, one that is focused on service availability. De Maertelaere suggests that this actually might provide the basis of IT's rehabilitation within the business. "The opportunity for security to enable the business will allow IT back into the boardroom," he says. "Business people will re-respect IT people."

Model break down

With that prospect in mind, IT management in certain sectors are embracing the idea of deperimeterisation with some enthusiasm. Alongside pharmaceuticals and healthcare, the insurance sector is one industry cited as having already benefited from deperimeterisation. One Unisys customer, for example, has 40 alliances with companies that offer complementary products. But when the insurance company's agents wanted to pull in quotes, they were faced with 40 separate log-ins. The system was so complicated that it actually started to have an impact on staff retention. De Maertelaere says that alleviating that through the introduction of a single sign-on system has since "boomed the business dramatically", giving greater access to saleable material and so increasing the upselling potential.

Analysts from Meta Group note that the insurance industry is also a relatively early adopter of web services, as companies seek to share business functions. The technology allows businesses to take the benefits of the Internet one step further, with seamless business-to-business communications, says Scholtz. "Web services will break down the old security models and make deperimeterisation a reality."

But web services pose a problem for traditional firewalls: SSL encryption allows them to pass through unchallenged. Also, many application-to-application web services sit on top of the web stack, so rather than using individually allocated ports, everything is sent via web ports, which firewalls do not usually control. Indeed one of the original drivers for web services was the difficulty that firewalls create when protecting traditional applications. "When firewall administrators look at web services, they almost think it's some sort of conspiracy designed to get round everything they've put in place," says Mark O'Neill, CTO of Vordel, a web services security provider.

O'Neill notes that most web services deployments remain within closed user groups, rather than shared across the public Internet. As such, with few organisations willing to ‘rip and replace' existing security arrangements, deperimeterisation remains a longer-term vision, especially as its current incarnation looks more like an enlarged perimeter than a demolished one.

Segmented security

Art Coviello, CEO of RSA Security, believes that uptake of federated identity authentication will start with "communities of interest" such as associated groups in the travel or financial services industries, before widening to encompass varying industries. But RSA hopes that with online service provider AOL issuing its premium customers SecurID two-factor authentication tokens, other consumer businesses such as banks might form partnerships that are happy to deal openly with users whose identities have been federated in this way.

However, such communities still need to be segmented internally – not just by company but also by department. "We are seeing organisations taking a more domain-based approach," says Scholtz. "So rather than treating the whole organisation and its partners as one big group that we have to protect, we have to be more granular. We can start breaking it up into logical entities such as business units, application groups or physical locations."

This approach allows for a more nuanced security policy. "Probably one of the biggest downfalls [of perimeter-based security] is that because we're all inside the same perimeter we must all comply with the same security policies and requirements that apply to everyone," says Scholtz. "Taking a more segmented approach helps us move towards a more stratified way in which we do security. It also allows us to become a lot more specific to the requirements of separate entities within the business."

He warns that deperimeterisation is likely to create plenty of new management challenges of its own. One of the stickiest criticisms of the Jericho Forum's ideas is that they will be prove too expensive and complicated to implement. Above all, it is much harder to enforce security policies on those outside the organisation over whom the IT department has no direct control. And adoption of new sets of technologies to manage the security of perimeterless domains will inevitably add complexity – often cited as the enemy of security.

What is clear though is that the current approach of blocking and firefighting has reached a point where it is doing both good and harm to the business. And perhaps that demands that walls need to come down rather than be fortified.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics