I was talking with a coworker a couple weeks back, and in the course of our conversation one of us mentioned the concept of perimeter security. That simple statement struck me then, and strikes me even more now:
What is perimeter security?
When I started in the business of information security in the mid 1980s, the basic organizational security model was best described as an onion. You had the multiple layers of the onion - you get through one layer and another one lies before you. I kind of like the analogy of the peanut M&M because it is more simple and direct – most organizations simply didn’t have layers and layers of security. You have the hard outside layer that protect the inside from melting, from insects, from malformation, and other external threats. You have a soft chocolaty layer that surrounds, comforts, and pillows the deliciously cool part of the candy, the peanut in the center. In security language, you had your firewalls that protect against outside threats, a bunch of stuff going on inside, including policies and procedures, but they were often kind of soft. And in the center somewhere you had your cool data.
If you were advanced, you had multiple layers at the external perimeter and two or more internal enclaves, defined by some formal internal segregation. Graphically, an advanced enterprise security architecture would have concentric layers with enclaves of cool data inside.
In the early days of the Internet this was a pretty standard security architecture. Default external layers were a screening router and a firewall. Internal enclaves were usually controlled by routers, or switches, and maybe (for the paranoid) internal firewalls. I worked in more than one place that included secure rooms with an air gap around a smaller network that had limited access requirements. Human resources and special projects got some internal segregation. Segregation was improved with provisions to protect financial and healthcare data, but the basic enterprise security architecture was still defined pretty well in a few layers.
But the world has changed.
Web-enabled applications and social media mean more dynamic content flows in and out of the organization, blurring the actual perimeter. Organizations build vendor connections and shared networks that further enable information exchange, but also further weaken the idea of a “perimeter”. Organizations outsource support to a third-party company (which is, by the way, the same third-party company used by 70% of the competition), and they get external access to internal systems.
Mobile laptops mean web-enabled email and supporting applications, with connections through untrusted and untrustable networks. Telecommuters rely on their own infrastructure (with an unknown state) to remotely connect to work systems, using VPN access to internal network resources.
Mobile devices that rely on simplicity are given more and more complex access and functionality, and are regularly relied on to access organizational information – from a relatively inexpensive device that people trade out every two years or so. A modern organization that supports mobile devices, web-enabled applications and social media ends up being more amorphous, with a network security architecture that looks more blob-like than layered.
Part of that problem is that it creates an architecture that can be hard to define, much less draw. And one of the telling parts in the organization is that there really is no perimeter anymore. Data security management relies on segregation. As a concept of a primary security control, the perimeter is dead. The best way to think of our structure may be to think of everything as its own enclave.
The only saving grace is that this should help put the focus where it should be – on the data. Once upon a time, the objective was to build successive layers of security that would have to be breached to get to the internal network that held all the data. In some ways, that also helped an attacker – notice how the cool data in the original diagram looks an awful lot like a bull’s-eye. Now, that data is everywhere, it is probably harder to manage, but it is also sometimes harder for an attacker to find the treasure trove. Even though a modern security architecture looks dramatically different, when you are defining your security program, most of the same general rules apply.
1. Identify your cool data. Do your business impact analysis, your information asset inventory, your data flow analysis, whatever you call it, just do it. I am still surprised at how many companies that I talk to have never done this. Ultimately, it’s all about the data. Identify your data, and the systems that protect and access that data. If you are supporting social media and mobile devices, make sure you understand what data you are going to be supporting. We often hear a PCI client say something to the effect that they did not know that they were storing card data. In reality, that is pretty important information to know. If you don’t know exactly what data you are protecting, you are going to fail.
2. Train your staff. Train them on security basics, but concentrate on defining how to manage your cool data. I once worked with a firm who had an excellent two-page data classification and handling policy, but admitted that they didn’t actually train staff on data classification. By the way, it was a biotech company who maintained significant amounts of medical research data (yes, including some identifying information).
With the current state of mobile devices and social media, technical controls can be difficult to manage. It’s not the fact that technical controls do not exist. As a matter of fact, there are a variety of very effective technical solutions to add controls around social media usage as well as mobile device management. The issue for these areas is primarily that they can be difficult to use without seeming oppressive. Do you have specified authorized usages for your mobile devices? Do you train on exactly what employees are authorized or not authorized to communicate via social media? My daughter would say I sound like a fogey, but since some members of the younger generation grew up with social media, they simply do not have the same level of mental filter. Make your expectations clear.
3. Implement effective security technology. These are very specific words. Your security technology has to be diverse enough that it can protect cool data in its segregated enclaves. Historic security measures can be effective at helping to secure “normal” data but securing the distributed enclaves can be challenging. Are you blocking or monitoring social media? Did you know data on the iPhone is encrypted? Did you know that most Android phones also include the capability (settings/Location & Security/Data Encryption)? Do you use it on your mobile devices to help reduce the chance of data being compromised on a lost or stolen device? Focus your technology on protecting your cool data, whereever it is.
There are plenty of other steps in a formal security program, including things like performing risk assessments, but most of them do not change dramatically because of a modern security architecture. The evolution in information security programs comes from the demand to provide security in an environment in which the perimeter is no longer the most important security delineation.
Now, obviously, reality is not quite that simple, and realistically there is still “some” perimeter, but we should recognize that our data needs are more dynamic now than ever. Social media and mobile devices have simply changed the way we use data. As a result, security has to adapt to better ways to manage that data – and “protection” of the data is only one piece of true data management.