Perimeter– “outer limits of a military position.
The area beyond the perimeter belongs to the enemy.”
This is a guest post by Mr. Moshe Ferber. Mr. Ferber is Co-Chairman for the Israeli Chapter of the CSA, and a Cloud Security entrepreneur and lecturer, with over 20 years’ experience in information security. Serving in various capacities in information security field, and was involved in major projects in leading organizations worldwide.
In 1950, Secretary of State Dean G. Acheson’s gave one of the most important and controversial US policy statements in the early history of the Cold War. This statement was later considered to be one of the reasons for the break of the cold war, and it was not about what Acheson was saying, it was about what he was not saying. In his speech, Acheson draw the borders of the US “defensive Perimeter” in the pacific, and neglected listing Republic of Korea inside the Perimeter. Critics immediately pointed to Acheson that by excluding Korea from the protecting perimeter, he is giving Pyongyang the “green light” to pursue forcible reunification, which is exactly what happened less than 6 months later.
The military definition of Perimeter is simple – we are inside, the enemy is outside. In information security, the term perimeter is turning to be something different. The concept of today’s perimeter started to shape up during the mid-90‘s, with the appearance of statefull firewalls and the fast spreading of Internet and e-mail services. Back then we started building the networks with clear borders and walls to mark the perimeter, and the interesting thing is that almost immediately after we defined the perimeter – we started piercing holes into the very same walls we’ve built:
First cracks in the walls of the perimeter appeared In the 90’s with the emerging VPN technology that helped connecting the new global economy and while doing so, changed the way we see external and internet. This question mark about in and out continued with the appearance of the Extranet, Intranet, ASP and e-commerce sites that utilized complex layout of DMZ and external network classification, that also stretched and twisted the traditional concept of the perimeter.
In 2001, a Royal Mail employee named Jon Measham published a research paper about the need to re-think the borders of IT infrastructure and devised the term De-Perimeterisation – a concept describing the need for organizations to enable better business to business and business to customer’s transactions and services.
In the beginning of the 21st century the phenomenon of cutting though the Perimeter fences continued as Measham expected. SSL based VPN and WiFi networks enable more people, such as customers and partners, to access the enterprise network. API gateways and machine to machine interfaces emerged to add more connectivity inbound and outbound, and the HTTP protocol evolved to a point that it almost made traditional firewall useless. At this point it started to be clear that the concept of “friends inside, enemies outside” could not last for long.
On January 2004, a group of leading security professionals from different industry organizations established the Jericho Forum. They aimed to drive and influence development of security standards that will meet future business needs, and decided to adopt Jon Measham De-Perimeterisation approach and focus on solving problems posed by the De-Perimeterisation process. The result was published in the Jericho Forum Commandments, a list of 11 principals that define what must be observed when planning for security in the new world. According to the Jericho Forum, the De-Perimeterisation “has happened, is happening, and is inevitable” and organizations should “plan for it and should have a roadmap of how to get there”.
Following the Jericho Forum’s publications, several respected companies announced their commitment to the cause. Energy Group BP announced that it will remove 18000 laptops from its secure LAN and connect them straight to the Internet, KLM and ICI also came forward with similar statements. They all were claiming that they prefer moving into data centric security – where the security controls are placed around the relationships between the user and the data.
But only couple of years later, with the appearance of mobile computing and cloud computing, it became clear that the perimeter concept must change entirely. The combination of new technologies and business requirements is causing IT decision makers to rethink the borders of the Perimeter in order to avoid excluding valuable assets and prevent ‘another Korea’.
Mobile computing caused organizations to understand that users can be simultaneously inside and outside. Cloud computing has also forced organizations to think how to protect their Data even if it is placed on a non-trusted environments such as external cloud provider. The latter concepts are really hard to digest when you examine them with traditional information security methodologies.
So what should be the guidelines of security in the new era? A recent document by the CSA discussing the Software Defined Perimeter (SDP) does a great job in getting the right building blocks of the new approach to enterprise security. SDP binds together security technologies that until now were managed separately. It elevated traditional “hardware based” technologies like VPN and IPSEC with new emerging “software based” technologies such as Identity Federation and devices policy checklist for attestation. The basic concept behind SDP is the observation that each system must protect itself, thus allowing organizations to build smaller secure islands (scattered across different providers) instead of one big secure network perimeter. Furthermore, following SDP, all application access must be allowed only after proper authentication, authorization, and device attestation.
Critics would say that the concept of the SDP is not new, and we have been practicing similar solutions for a while now. They are correct too. The technologies are not new, and most of the concepts of SDP were already introduced in the Jericho forum commandments. But SDP is a major step forward because it contains enough use cases and high level architecture for vendors to start planning products with SDP functionality.
Last year’s cyber events proved organizations that ‘inside’ is not as secure as we thought, and ‘outside’ is not for the ‘enemy’ alone. With the break of 2014, we understand that taking a new approach regarding the network perimeter is inevitable. One thing is certain, in the next years to come the security officers will have to protect larger and more distributed deployments, to handle significantly more data, and protect against ten times more attacks. However, they will not have ten times more the budget, so creative security solutions must be developed to enable business growth.