Security in the future: don’t fence me in

28 Sep 2004

To the ever-expanding vocabulary of IT terms we can now add another entry: deperimiterisation. Although it sounds like just another made-up buzzword, it actually signals a major shift from how information security needs to be managed.

In the past, security systems fulfilled the role of a ring fence around an organisation, protecting all inside it from harm. Now, with more users than ever working remotely, along with intelligent devices making their way inside the network, the notion of a wall or moat being strong enough to keep out intruders is fast becoming redundant.

That much was clear from IDC’s security conference held last week at the Guinness Storehouse in Dublin. The analyst firm hosted discussions from a slew of industry figures and more than one speaker dropped the ‘d’ word into their presentations.

The event was timely, taking place against a backdrop of growing concerns about security at all levels. Recent research from IDC into IT spending patterns showed that this year the issue has become the top priority for Irish companies. Much of the concern appears to be recent: in 2004 54pc of Irish organisations will implement security systems, compared with 32pc last year.

Any manager allocating a substantial section of their IT budget to security must face the reality that the gate-and-fence approach is no longer sufficiently secure. “It only takes one PC to infect the entire network,” said Conall Lavery, managing director of the security provider Entropy. “We’re going to have to change the way we do things.”

Niall Moynihan, European technical director of the security software developer Check Point Technologies, developed this theme further when he asked: “Where is the perimeter? It’s on every device. It’s all well and good having [blocking] technology at the perimeter, but you have to go back and put it on every machine. Today’s challenge is that you have laptops, mobile phones or memory sticks belonging to users who are walking in behind the perimeter and plugging them into the network.”

Cynics could argue that you would expect those in the security community to put forward this line of thinking, but real-life experience on hand at the conference, offered compelling supporting evidence.

Declan McKibben from RTÉ’s IT department spoke of the problems within the public service broadcaster as more users adopt mobile technology in various forms. In his case study entitled: ‘locking down laptops’, McKibben noted: “It’s great for the programme makers but it’s a challenge for us to get it all working securely.”

If a radio or TV programme maker is working off the site and connects to the internet through an unsecured link, they risk being exposed to a virus or worm. On later connecting to RTÉ’s own network, a compromised machine would then have free rein to infect other systems, having bypassed all security controls such as the firewall. “The traditional gateway has evaporated; every device on your network is a perimeter to be defended,” said McKibben.

RTÉ’s solution, currently in proof-of-concept phase, is a combination of personal firewall software installed on each machine, along with strong authentication for users operating outside of the broadcaster’s network. Any PC that tries to connect to the network must first pass tests and must have the latest antivirus tool updated on their machine before access is granted. “This sounds very lengthy but it’s quick enough in practice,” said McKibben.

Essential to supporting any security strategy such as this is a strong policy. It’s no longer simply a “nice to have” policy, said Thomas Raschke, program manager for European security products and strategies with IDC. “Policies are often overlooked and underestimated. Policies bridge the gap between technology on one hand and reality on the other – the people or users in your organisation.”

Lavery agreed that policy “plays a huge part in security. Almost none of us here has a business use for downloading MP3 files, so they are blocked from the network.”

Judging from the tenor of the presentations, security outsourcing now appears to be back in vogue, particularly – though not exclusively – for small to medium-sized enterprises. It had been on the agenda four years ago but the market wasn’t ready for it then and it never took off. The concept was sound, however, and now it’s back.

The argument is the same as before: many organisations lacking the in-house expertise can now turn to a third party to manage security for them, who sell this function back to the company as a service.

A new survey from consultants Ernst & Young, ironically released the same day as the IDC conference, supported what many of the speakers were saying. The trend towards outsourcing has led Ernst & Young to suggest, however, that organisations are finding it harder to keep control over their information and, consequently, senior management may not understand their company’s exposure to risk.

Speakers at the IDC event stressed that outsourcing the risk doesn’t mean removing all the responsibility. A question raised during the conference was whether outsourced security is an oxymoron: if it’s so important, why outsource it? “You’re only outsourcing the implementation, management and some of the technologies,” Lavery emphasised. “The organisation itself is still responsible.”

Simon Perry, vice president of security strategy at Computer Associates, pointed out that certain security-specific skills around analysing data are pretty rare and therefore worth outsourcing. “The pieces you should never outsource are strategy, training and education,” he said.

Drawing on the example of virus-ridden emails that lure users into clicking on them by tricks such as faked addresses or an enticing subject line, he added: “The reason people fall for social engineering tricks is because they haven’t been trained.”

The event wasn’t all doom and gloom, however, as a straw poll of attendees, conducted during a break in the conference, threw back some very encouraging results from an Irish point of view. Security appears to be finally getting recognition at senior levels in local organisations, with some respondents reporting the CEO is the security sponsor, with the IT manager driving this function. “That’s great – it’s not something we see a lot of,” commented Raschke.

By Gordon Smith

Traditional methods of locking down an organisation’s security are failing as insidious – and innocent – threats bypass the perimeter fences IT departments throw up.