In the world of information security during the ‘good old days’ of the late 1990s, enterprise boundaries were enterprise boundaries and operational risk to infrastructure was relatively easy to define, track, assess and remediate.
The trends of the past ten to fifteen years - which, by the way, is not a whole lot of time - have taken us down a path where those tenets are really a thing of the past.
First, there was the outsourcing/offshoring of development and development support to emerging markets worldwide. This well documented shift created opportunities to save direct costs while introducing headaches for the infrastructure teams of the companies that chose to outsource. I remember being involved in provisioning a 56k frame relay circuit from a remote location overseas to a worldwide headquarters on the east coast in the U.S. It was a painful, expensive process - and it really opened my eyes to the unintended consequences decisions like offshoring can have on an enterprise. An example of these consequences could be observed by inspecting the logs for the web and email traffic that resulted from our connection to that overseas location, which revealed some real problems and a lot of bad traffic. We quickly implemented controls to fix those issues back then, but it was a learning experience nonetheless.
Then, there was the outsourcing of security services. Much ink was spilled, many stands were taken, and in the end the shifting of the maintenance and configuration of the security infrastructure (firewalls, IDS, log management, etc.) to professional services organizations probably proved to be a very good thing. After some false starts – Salinas and Pilot Network Services both went bankrupt in 2000-2001, leaving some customers high and dry with little to no warning of their closure – the industry settled down and now has turned into a stable and cost effective way to manage that part of the network. Organizations in the US federal government even commissioned CERT® to provide guidance on the process - resulting in the publishing of Outsourcing Managed Security Services - a guide to step managers through the process and to get them thinking about the right questions and criteria for this important process.
Next, there was growth in outsourced hosting. Email services, web services, development platforms, etc. - all left the control of the internal infrastructure and security groups for more specialized vendors who could do it better, faster, and usually cheaper. And this outsourcing was not limited to non-mission essential support services. It also included mission critical operational capabilities, like transaction processing, web banking, authentication, and others. At this point, critical services and infrastructure were outside the control of the enterprise infrastructure team and in the hands of 'specialists' delivering services based on Service Level Agreements (SLAs). Vendors of these services became subject to real risk assessments, real reporting requirements, and even regulatory compliance standards based on the type and location of their customers. The boundaries of the enterprise were getting harder and harder to define.
Today, there's Cloud Computing. It's not as much of a new thing as it is a new name. It is the logical extension of the other outsourcing practices - allowing a provider to offer just about any service possible via the 'cloud.' Hosting? Check. Storage? Check. Platforms (CPUs)? Check. Security? Check. Authentication? Check.
Now where does the enterprise draw the boundary for its systems, services, critical assets and so on. There really is no boundary now. The 'enterprise' as it existed in the 1990s is a thing of the past. Now, the 'extended enterprise' is the focus of attackers, auditors, incident responders, and operations staff. Your enterprise is everywhere, impacted by events you can't observe in networks you don't control and into which you have no visibility. Add to that a reliance on protocols which were designed 30+ years ago (most of the IP suite) based on inherent trust with no real thought given to malicious actors or the need for strong authentication.
If you think about that for a minute, the size and scale may make you dizzy. Your enterprise depends on the name servers, routing architecture, and trust relationships within your network, your partners' networks, your providers' networks, their providers' networks, and so on. It is often impacted by malicious activity in those same networks. In essence, your ability to achieve the operational mission of your organization depends on the health and welfare of systems and networks you don't own, can't control, and are not instrumented to be observed.
That's the extended enterprise. That's the current risk profile for most organizations. There are ways to approach this growing issue that are starting to take shape in many forward-thinking organizations. Their approaches include the following types of proactive data gathering and analysis:
1. Get to know your extended enterprise.
What services and capabilities inside your network and in the networks of others are critical to your mission? If you can define them, you have a head start on understanding the risks and tracking the threats.
2. Get the data you need.
There are data providers who have sensors on the Internet collecting information that will give you detailed views of how your extended enterprise is functioning - provided you have defined it and know how to track it. This will include information on the name system, routing information, and even whether you or any of your extended enterprise partners are actively being attacked or targeted (phishing, etc.).
3. Build analysis capabilities for the data that describes your extended enterprise.
After you get visibility into the networks you rely upon but do not control, you’ll need to determine what you should be monitoring in that data. Who are all my providers? Who are their providers? Who are the key players in my industry upon whom I rely directly or indirectly? What is the status of their routing and name services? What is the status of malware activity in their networks?
4. Create the relationships needed for mitigating risks and stopping bad events.
This includes your ISP, important content providers, and even registries. When bad things happen to you or to a partner or provider, it is important to be able to pick up the phone and make things happen to fix the problem.