Monday, May 5, 2008

Dirty secret #2 - the perimeter is dead!

Just came across an interesting article in Network World on the dirty secrets of security vendors. While I agree with some, disagree with a few, it was #2 that caught my eye.

The author, Joshua Corman, claims, "There is no perimeter". Paraphrasing him -

Vendors say that the network perimeter must be defended, but most data that is actually lost doesn’t go through the firewall. Half of all breaches are the result of either lost laptops or lost thumb drives or other removable media. Businesses need to tighten up their business processes at least as much as they need to tighten up network perimeters, he says. “If you still believe in perimeters, you may as well believe in Santa Claus,” he says.

Not sure I believe in Santa Claus, but that's not the reason I agree with Mr Corman. I do believe that a data-centric or information-centric approach to security is the right one. Protecting devices, ports, networks, perimeters might become a thing of the past. Security vendors will evolve towards offering protection at the data level..

When? Now that's a completely separate discussion, though some are further along in reaching this goal than others....


CG said...

"the perimeter is dead"

i'll believe that when they show me that their organization has no firewall, no proxies of any kind, no inbound or outbound filtering and no router ACLs.

laptop loss and data being stolen by employees isnt even in the same category as network defenses and does NOT mean you can get rid of all the "old" perimeter security.

a more accurate analogy may be that the perimeter is now a chain link fence where things can readily be passed through by willing parties on the "protected" side but still keeps most unwanted people out.

Manu Namboodiri said...

No doubt there are very few organizations going to that level of dropping perimeters. However, the vision, I feel, is very real - the perimeter of the future (I like the chain link analogy!) will become less important in the while scheme of protection. I am not sure it will ever fully go away, but the focus will turn towards a data-centric model...