Is deperimeterization coming to the US?
Two related stories today.
First this:
Perimeter security has become obsolete, requiring a shift to a new model of "deperimeterization," Paul Simmonds, CISO of U.K.-based ICI, said in a keynote that kicked off the Black Hat Briefings Wednesday in Las Vegas.
The old hard-shell model of security isn't sustainable in light of the need for businesses to open up their networks to partners, consultants and clients, said Simmonds, one of the founders of the Jericho Forum, a European group of enterprise security chiefs promoting the concept of deperimeterization.
[ SC Magazine ]
And then this:
"Must mention the security here, impressive perimeter stuff, good searching, magnetometers etc. But completely blown by the personal passes that allow you in here. No individual identification whatever. The passes are passed about like confetti. I've even seen people trading them for tickets to various events like James Taylor at the Boston Pops. In other words no one in the world knows exactly who everyone in this place is. Easy prey for anyone who wished the event ill. Post 9/11 America could still learn so much from the Brits and their protective methodology against the IRA."
[ Jon Snow of Channel Four News quoted here - http://www.davosnewbies.com/2004/07/30#security101AndTheDnc ]
By performing security only at the perimeter, but not actually enforcing security at the resources which you are protecting, you have the "hard crunchy shell and soft center" model. Once upon a time, this model was advocated by security professionals in firewall books and manuals. But the problem is that you lose the security context after you've allowed the message (or person) through the perimeter. You no longer know where this message came from or where it was authenticated. Or, in the case of the DNC, who the person is and how they got through the security cordon.
Vordel's products have been built to protect resources which are being exposed using XML (e.g. Web Services) by enforcing security at the protected resource itself. As well as providing perimeter security (an XML Firewall), we also provide security enforcement at the endpoint. We are in good company here - Cisco are also moving in this direction (see pervious post: If firewalls are the problem - can they also be the solution?).
|
