If Charles Smith could go back to the early days of computer security, he would. Things were just so much easier back then.
Smith, chief information security officer for the Arizona Department of Economic Security, has, after all, been in the industry for 35 years. Starting his career in the U.S. military, and later moving on to build up security programs at PayPal, JP Morgan Chase and private aviation firm NetJets, Smith remembers a time, in the early 1990s, when all that really needed protecting was one thing: the corporate network.
Security pros have traditionally been taught to build up protections around the edges of their company's network. The strategy is referred to as perimeter security, defined in its most basic sense as the deployment of a set of controls that create a fortress around the network boundary, or where data flows to and from the internet and other networks.
“...technology has changed, and so too has the threat.”
– Charles Smith, CISO, Arizona Department of Economic Security
Perimeter defense controls can, these days, include everything from network routers, firewalls, intrusion detection and prevention systems, virtual private networks (VPNs) and demilitarized zones. These defenses essentially operate like a checkpoint, allowing authorized traffic to enter the environment while blocking the bad.
Years ago, enterprises could keep cyber intruders at bay by building this proverbial wall surrounding the enterprise IT network.
But, those days are long gone.“Over the last 10 to 15 years, there has been nothing but change to the landscape of information security,” Smith (right) says. “The reason there has been change is because technology has changed, and so too has the threat.”
Thanks to the recent proliferation of mobile devices, cloud computing, applications that can traverse firewall policies, and an influx of new IP-enabled technologies, the perimeter has become fuzzy, a distant memory of yesteryear. There is no such thing anymore as a single, unified environment.
Take, for instance, the Arizona Department of Economic Security, which is the largest agency in the Grand Canyon State, and handles benefits for children, the elderly, disabled and unemployed. Smith, who was brought onboard as CISO in February to formalize the agency's security operations, says yesterday's strategies are not sufficient for an organization with 200 offices scattered throughout the state and employees who regularly work from the road.
He says organizations today must adopt a layered security approach aimed at shoring up every possible entry point into the corporate network. Essentially, instead of building one large fortress of protection, organizations today must have many. He recommends that they build a framework of security “zones” for various users and assets, each with its own requirements and perimeter defenses.
“Today, quite frankly, I don't have a [single] perimeter,” Smith says.
Others agree that the network perimeter, over the past several years, has evolved into more of a concept than an actual thing, largely due to the rise of the mobile work force.
The perimeter is not disappearing though, says Jason Rhykerd, a consultant at System Experts, a network security consultancy. For many companies, it is actually expanding. Organizations still have a core boundary surrounding their network, but that is no longer enough. Defenses should cover all computing resources, wherever they are.
Take, for instance, someone working from a local coffee shop. This user is not outside of the network perimeter, but rather an extension of it, Rhykerd argues.Malcolm Harkins, chief information security officer at Intel, calls people the new perimeter. Harkins developed the concept in 2005, when mobile devices and social media were beginning to cause what some considered to be an erosion of the perimeter. At the time, Intel was already heavily mobile – smartphones had become ubiquitous among employees and every building had wireless access. Plus, social media was beginning to make waves and promised to become a tsunami-size issue in the future. Internally, Harkins and his team were discussing the apparent vanishing perimeter and, it occurred to him, the perimeter isn't disappearing – it is just moving.
Beyond the network, today's perimeter now extends to people, as well as devices and data, he says.
As part of Intel's revised strategy, Harkins says he ramped up user education, an effort that has already shown considerable benefits. Intel policy now allows for the personal use of corporate-issued mobile computing devices, which has ultimately given employees a greater stake in security, he says.
But, unlike Smith and Harkins, some security professionals have not altered their perimeter defense strategy and may consequently have a false sense of security, experts say.
Scott Laliberte (left), managing director for business consulting and internal auditing firm Protiviti, says a midsize financial services firm, which he would not name, experienced a “significant” breach of user data last year following a series of failures, starting with the CIO's reliance on traditional perimeter defenses.
In that case, a user with administrative rights, for reasons unknown, disabled anti-virus (AV) on their PC. One could easily guess what happened next – the machine was infected with malware. The nefarious program then spread to an internal server, which contained sensitive information, but was also not protected with AV for performance reasons. To make matters worse, the company's outbound firewall rule set wasn't restrictive, so the malware was ultimately able to siphon sensitive information out of the organization.
The kicker? Prior to the event, the CIO had questioned, “Why would I want to put anti-virus on an internal server and potentially affect its performance?,” Laliberte says. This is a point that makes sense given he already had strong perimeter controls and it was highly unlikely that a virus would get into his network.
Such incidents cause some security pros such as Josh Shaul (right), CTO at database security firm Application Security, to question the effectiveness of perimeter controls altogether. He says security practitioners the business should not spend any more time and resources expanding their network perimeters. They should instead focus on protecting data.“The more you build up your perimeter, the more someone finds a hole to get through it,” Shaul says.
Still, while some say the perimeter is dead, one would be hard pressed to find a company that is ripping out its firewalls, says Eric Maiwald, research vice president of security and risk management at Gartner. Defenses deep inside the network are becoming increasingly important, but many experts agree that layers of protection around the outside of it are still a necessary first line of defense – and a vital aspect of risk management.“In the end, we are talking about a control to help manage risk,” Maiwald says. “None of these controls take your risk to zero.”