Monday, August 24, 2009

Dirty secrets and the non-existent perimeter

The perimeter is dead - long live the perimeter (the new perimeter, that is). Which obviously is the data.

I am also intrigued by an article by Joshua Corman from IBM, in CIO magazine, that discusses this. Check out Dirty Secret #3. "There is no perimeter". I love it. Mostly because it is true. And for some small selfish reasons as well... :)

Here is what he says - very eloquently, I might add..

"We need to define what the perimeter is," he said. "The endpoint is the perimeter, the user is the perimeter. It's more likely that the business process is the perimeter, or the information itself is the perimeter, too. If you design your security controls with no base assumption of a perimeter, when you have one you are more secure. The mistake we tend to make is, if we put the controls at the perimeter, then we will be fine. For many threats, we couldn't be more wrong."

The bold emphasis above in mine - and not from Joshua. But I do it to illustrate my point (which I put forth in a recent blog on the benefits of an information-centric security approach as well). Security professionals need to move beyond the perimeter and thinking that has dominated for the past 30-40 years and recognize the world is different now.

For heaven's sake, the internet that allows for rapid dissemination of data and collaboration is already a teenager! Why do we still protect this environment with stuff built for the 70's?

No comments: