Tip

Shifting defenses and dynamic perimeters challenge network security

The increasing value and vulnerability of IT assets -- coupled with a trend away from large, monolithic organizational structures toward virtual enterprises -- are challenging network security. Individuals and organizations are empowered with more and more computing devices and sophisticated content creation and collaboration tools. Yet there are strong risk and regulatory pressures on IT security to constrain connectivity, user functionality and control.

Another dilemma for network security is de-perimeterization of the network. De-perimeterization -- a phenomenon described by the Jericho Forum, Burton Group and others wherein centralized firewalls have become less effective -- is upon us. Additional firewall functionality is being added to endpoints as well as internal network access points. Computer devices are getting smaller and more numerous; device endpoints are splintering into virtual endpoints; and applications are decomposing into services. Business trends such as outsourcing, partnering and a mobile workforce create continuing pressure for organizations to share information electronically across distributed IT environments.

    Requires Free Membership to View

More on shifting perimeters and network security models
Network security: Overlay versus perimeter security model debated at Catalyst

Special Report: Network access control -- More than endpoint security

Hidden endpoints: Mitigating the threat of non-traditional network devices

What is data loss prevention? -- An introduction to DLP

Even though coarse-grained network perimeter controls will continue to bring unique value to maintaining an overall level of protection and availability on organization-owned networks, IT security is too dependent on network controls. Fine-grained controls are needed closer to information resources, and they will increasingly be built into both simple and complex systems, arriving with new systems and being retrofitted into old ones. These fine-grained controls will exist within a security overlay that works together with existing physical mechanisms on the network to create a total security solution.

Can the industry create a policy infrastructure to cover pervasive, finer-grained controls on endpoints, applications and data? That is no easy thing. Exponentially multiplying numbers of control points will have to operate in a contextually dynamic environment that represents the interests of multiple parties, including individuals, enterprises in a value chain, intermediaries or service providers and, often, auditors. With this, the complexity of policy management, monitoring and feedback rises.

Industry trends will drive organizations to shift much of their defensive emphasis from network controls to endpoint-, identity-, application- and data-level controls. Technologies such as trusted virtualization and secure compartments; higher assurance identity (with privacy features) and application rating services (supported by rating services) could raise the bar. Ultimately, an information-centric approach that builds on converging XML-oriented database management systems and enterprise content management -- as well as service-oriented architecture (SOA) data services -- will provide lasting strategic benefits. Information risk management and information classification will also be of vital importance.

About the author:
Daniel Blum is the senior vice president and principal analyst for Burton Group Security and Risk Management Strategies. He covers security architecture, identity management, federated identity, and security technologies. Daniel has consulted for many Global 1000 companies on key strategic architecture and technology decisions. He has participated in and contributed to industry organizations such as the International Information Integrity Institute (I4), Electronic Authentication Partnership (EAP), Internal Standards Organization (ISO), and National Institute of Standards and Technology (NIST). He has worked with the Organization for the Advancement of Structured Information Syntaxes (OASIS), and the Liberty Alliance to promote the use of federated identity management through interoperability demonstrations. Daniel has co-authored The E-Mail Frontier, published by Addison-Wesley, 1994, and authored Understanding Microsoft Active Directory Service, published by Microsoft press, 2000.


This was first published in August 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.