Problem solve Get help with specific problems with your technologies, process and projects.

Shifting defenses and dynamic perimeters challenge network security

Network security faces challenges from de-perimeterization and other IT trends. Fine-grained controls are needed closer to information resources and will increasingly be built into both simple and complex systems.

The increasing value and vulnerability of IT assets -- coupled with a trend away from large, monolithic organizational structures toward virtual enterprises -- are challenging network security. Individuals and organizations are empowered with more and more computing devices and sophisticated content creation and collaboration tools. Yet there are strong risk and regulatory pressures on IT security to constrain connectivity, user functionality and control.

Another dilemma for network security is de-perimeterization of the network. De-perimeterization -- a phenomenon described by the Jericho Forum, Burton Group and others wherein centralized firewalls have become less effective -- is upon us. Additional firewall functionality is being added to endpoints as well as internal network access points. Computer devices are getting smaller and more numerous; device endpoints are splintering into virtual endpoints; and applications are decomposing into services. Business trends such as outsourcing, partnering and a mobile workforce create continuing pressure for organizations to share information electronically across distributed IT environments.

More on shifting perimeters and network security models
Network security: Overlay versus perimeter security model debated at Catalyst

Special Report: Network access control -- More than endpoint security

Hidden endpoints: Mitigating the threat of non-traditional network devices

What is data loss prevention? -- An introduction to DLP

Even though coarse-grained network perimeter controls will continue to bring unique value to maintaining an overall level of protection and availability on organization-owned networks, IT security is too dependent on network controls. Fine-grained controls are needed closer to information resources, and they will increasingly be built into both simple and complex systems, arriving with new systems and being retrofitted into old ones. These fine-grained controls will exist within a security overlay that works together with existing physical mechanisms on the network to create a total security solution.

Can the industry create a policy infrastructure to cover pervasive, finer-grained controls on endpoints, applications and data? That is no easy thing. Exponentially multiplying numbers of control points will have to operate in a contextually dynamic environment that represents the interests of multiple parties, including individuals, enterprises in a value chain, intermediaries or service providers and, often, auditors. With this, the complexity of policy management, monitoring and feedback rises.

Industry trends will drive organizations to shift much of their defensive emphasis from network controls to endpoint-, identity-, application- and data-level controls. Technologies such as trusted virtualization and secure compartments; higher assurance identity (with privacy features) and application rating services (supported by rating services) could raise the bar. Ultimately, an information-centric approach that builds on converging XML-oriented database management systems and enterprise content management -- as well as service-oriented architecture (SOA) data services -- will provide lasting strategic benefits. Information risk management and information classification will also be of vital importance.

About the author:
Daniel Blum is the senior vice president and principal analyst for Burton Group Security and Risk Management Strategies. He covers security architecture, identity management, federated identity, and security technologies. Daniel has consulted for many Global 1000 companies on key strategic architecture and technology decisions. He has participated in and contributed to industry organizations such as the International Information Integrity Institute (I4), Electronic Authentication Partnership (EAP), Internal Standards Organization (ISO), and National Institute of Standards and Technology (NIST). He has worked with the Organization for the Advancement of Structured Information Syntaxes (OASIS), and the Liberty Alliance to promote the use of federated identity management through interoperability demonstrations. Daniel has co-authored The E-Mail Frontier, published by Addison-Wesley, 1994, and authored Understanding Microsoft Active Directory Service, published by Microsoft press, 2000.

This was last published in August 2008

Dig Deeper on Network Access Control

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.