Inside out: The vanishing perimeter and rising role of security
Jack Danahy, director of advanced security, IBM
For decades, security has been characterized by approaches that are founded in the tacit admission that systems and networks are inexpertly constructed and weak: that protection is required by, and not required of, the expanding population of connected devices.
Today's system breaches, exploits, and publicly acknowledged data and service losses are reality serving notice that, in spite of massive investments, the legacy security models are no longer sufficient, if they ever were.
Common security practices are most often based on "perimeterization."
Whether demarking internal networks from the outside world, or enforcing isolated execution on a shared system, the concept of a defensible security perimeter has been a comforting fiction since the emergence of multi-user systems and basic inter-networking.
The warning signs of inadequacy were always there, from the capability of viruses and worms to pass unmolested through these imaginary boundaries, to recurring warnings that insiders posed a significant threat. The signs weren't heeded, though, because the partition of inside and outside, trusted and untrusted, encouraged a misplaced feeling of safety on corporate and private networks. The focus on strong perimeter defenses allowed internal systems to remain weak and under-secured, and moved responsibility for security from the designers of the systems to the operators of the environment.
Over the course of the past five years, broad adoption of enablers in mobile and cloud technology and increased access brought by social media have forever removed even the illusion of this defensible perimeter. More and more data and processing are leaving the internal network, and a much greater number of unknown and untrusted entities are being invited in.
The evaporation of the perimeter has obviously increased the exposure of the enterprise to IT risk. When we add the reality of resource constraints and compliance pressures, we see 2013 as a year where security must emerge from its guild-like status to become a peer-level concern among business executives.
New security audiences, from general managers to contract attorneys, from entry-level programmers to boards of directors, are becoming engaged and involved in the definition and execution of what formerly was a purely technical and parochial security domain. The financial health and well-being of enterprises is now much more directly impacted by security concerns, and so security responsibilities and decision-making are becoming more strategic.
The security leaders that will thrive will be those who can communicate the need for real change into a language understood outside of the technologists' circle. In a recent study by IBM's Center for Applied Insights, roughly 25 percent of CISOs and security leaders already find themselves in this position, strategically advising and executing according to direction and priorities set with their organization's executives.
Systems have become too complex, and too unique, to apply traditional operational testing techniques. Everyday, systems are constructed and enhanced, yet, for all practical purposes, are untestable. There is a need for a new sensibility in system creation that recognizes the importance of security, one that includes new initiatives for traditionally untouched areas, such as security requirements gathering, component testability, supply chain assurance, and secure software design.
These changes are predicated upon a re-examination of the responsibilities underlying a secure infrastructure. Security now must move from capability to characteristic, where systems are constructed and deployed in a manner that considers security to be of peer value to performance and functionality.
A system that cannot be tested for security cannot be deployed. A design that creates functionality at the expense of practical validation must be rethought in order to balance the value it brings with the risk that it will likely introduce. Every single day, the problem of an untested and untestable threat surface multiplies with every new feature, every new system, and every new user. Changes in process and priority must be made now to have hope of ever really reducing these risks.
Any of these changes will take time. As with the evolution of any critical system, there cannot be a wholesale upgrade, either of systems or security practices. In the interim, while institutional will and capability mature, investments are needed to manage and balance the risk of the existing highly vulnerable state. New capabilities in data analytics, leading to anomaly and trend analysis, are creating opportunities for advanced correlation and rapid response.
Whether to mitigate the risks of current insecure environments or to gather data which will direct the vision for improving those environments in the future, these analytic platforms are going to become strategic identification and interdiction cornerstones during the next 15 to 20 years of this maturation process.
The impacts of this migration of responsibility will be felt in products, in organizations, in expectations and outputs. Organizations that understand this integrated need for security will develop new relationships, a new and common language for security, and will thrive. Organizations that look to apply yesterday's solutions, hoping to bury this new reality in yet more of the same, will find costs increasing while security suffers.
2013 is the year to re-evaluate and restart our relationship with security.
As director of advanced security, Jack Danahy is responsible for integrating new and developing security trends into IBM strategy, outreach, and product management.