IT Faces Networks Without Borders

A job for Dynamic Security

IT Faces Networks Without Borders

Jaikumar Vijayan

February 12, 2007 (Computerworld) SAN FRANCISCO -- As end users at different companies conduct more business with one another via the Web, corporate information security strategies are being turned inside out — literally.

Corporate security managers have spent many years and tens of billions of dollars erecting sophisticated defenses designed to keep intruders out of their networks. But they’re discovering that the network perimeter isn’t what matters so much anymore. Now what’s important is protecting the data within those walls, said security managers at the RSA Conference 2007 here last week.

That realization is being driven, they said, by the accelerating trend among companies to collaborate online with their suppliers, business partners and customers.

The “de-perimeterization” of corporate networks that has resulted from this collaboration is forcing companies to completely rethink some of their entrenched security procedures, said Paul Simmonds, global information security director at Imperial Chemical Industries PLC in London.

Future security strategies will need to focus on the fact that access to corporate data can no longer be contained within traditional network boundaries, Simmonds said. “What’s coming is IP anytime, anyplace, anywhere,” he said, adding that the role of IT security organizations will be to enable that access — not to hinder it.

“In most cases, network security perimeters will disappear,” Simmonds predicted. “It’s a question of how fast, how soon and whether you decide to control it.”

Crossing the Moat

Older “castle and moat” security architectures assumed that a firewall would keep out all intruders, said Deven Bhatt, director of corporate security at Arlington, Va.-based Airlines Reporting Corp., which provides ticket distribution and settlement services to more than 145 air and rail carriers. Increasingly, though, firewalls are becoming “useless,” he added. “Every day, you’re creating more and more openings in the firewall, so it isn’t even a firewall anymore.”

What’s needed now is the ability to more thoroughly authenticate and authorize users on a network and then to monitor all their activities much more closely than before, Bhatt said. For instance, his company has deployed network behavior modeling tools to help it monitor traffic for anomalous behavior.

Dennis Hoffman, vice president of information security at EMC Corp. in Hopkinton, Mass., said companies will have to adopt a three-pronged approach as they seek to implement information-centric security strategies. Hoffman’s mantra: “Maximize access control, minimize the amount of data that leaves your security zone, and encrypt the rest.”

In order to allow authorized users to access information whenever and wherever they want, the authentication of users and computing devices has to become a top priority, said Mike Schutz, a group product manager in Microsoft Corp.’s networking and security unit.

The security of a network typically has been defined by the firewall erected in front of it. Now the focus should be on extending the network boundary as needed by users, said Schutz. “Your laptop, regardless of where you go, should be part of the network,” he said.

Microsoft has attempted to support that approach internally by creating policy-based logical network segments in which all users and devices are authenticated and authorized via a combination of IPsec standards and Active Directory. Schutz said the architecture ensures that users authorized to operate in a particular network segment can do so regardless of where they’re located geographically, while all others are shut out.

Such access is based “not on where I’m standing, but on the trust level of my identity and the security and state of the device,” he said.

A key component of an information-centric security strategy is to first understand where your data is and how it’s used and accessed, said Art Coviello, president of conference organizer RSA Inc., a division of EMC.

“You can’t secure what you can’t manage,” Coviello said at a Q&A session with reporters, adding that combining information management and security capabilities is of “paramount” importance.

“Security has to be built more and more into an information infrastructure for it to be successful,” Coviello said. “It’s no longer enough to take an outside-in approach by building a fortress.”

Some of the changes now being implemented aren’t entirely new, said Lynn Goodendorf, vice president of information privacy protection at the Atlanta-based U.S. subsidiary of InterContinental Hotels Group PLC, which owns hotel brands such as Holiday Inn and Crowne Plaza.

“But there is a new emphasis on [data protection] now because of the maturity of the information security profession,” Goodendorf said. Increasingly, she added, corporate executives are also “starting to think of information as an asset that has some type of financial value to the business.”