Another dilemma for network security is de-perimeterization of the network. De-perimeterization -- a phenomenon described by the Jericho Forum, Burton Group and others wherein centralized firewalls have become less effective -- is upon us. Additional firewall functionality is being added to endpoints as well as internal network access points. Computer devices are getting smaller and more numerous; device endpoints are splintering into virtual endpoints; and applications are decomposing into services. Business trends such as outsourcing, partnering and a mobile workforce create continuing pressure for organizations to share information electronically across distributed IT environments.
Even though coarse-grained network perimeter controls will continue to bring unique value to maintaining an overall level of protection and availability on organization-owned networks, IT security is too dependent on network controls. Fine-grained controls are needed closer to information resources, and they will increasingly be built into both simple and complex systems, arriving with new systems and being retrofitted into old ones. These fine-grained controls will exist within a security overlay that works together with existing physical mechanisms on the network to create a total security solution.
Can the industry create a policy infrastructure to cover pervasive, finer-grained controls on endpoints, applications and data? That is no easy thing. Exponentially multiplying numbers of control points will have to operate in a contextually dynamic environment that represents the interests of multiple parties, including individuals, enterprises in a value chain, intermediaries or service providers and, often, auditors. With this, the complexity of policy management, monitoring and feedback rises.
Industry trends will drive organizations to shift much of their defensive emphasis from network controls to endpoint-, identity-, application- and data-level controls. Technologies such as trusted virtualization and secure compartments; higher assurance identity (with privacy features) and application rating services (supported by rating services) could raise the bar. Ultimately, an information-centric approach that builds on converging XML-oriented database management systems and enterprise content management -- as well as service-oriented architecture (SOA) data services -- will provide lasting strategic benefits. Information risk management and information classification will also be of vital importance.
About the author:
Daniel Blum is the senior vice president and principal analyst for Burton Group Security and Risk Management Strategies. He covers security architecture, identity management, federated identity, and security technologies. Daniel has consulted for many Global 1000 companies on key strategic architecture and technology decisions. He has participated in and contributed to industry organizations such as the International Information Integrity Institute (I4), Electronic Authentication Partnership (EAP), Internal Standards Organization (ISO), and National Institute of Standards and Technology (NIST). He has worked with the Organization for the Advancement of Structured Information Syntaxes (OASIS), and the Liberty Alliance to promote the use of federated identity management through interoperability demonstrations. Daniel has co-authored The E-Mail Frontier, published by Addison-Wesley, 1994, and authored Understanding Microsoft Active Directory Service, published by Microsoft press, 2000.
This was first published in August 2008