[ISN] Perspective: Security perimeter? What security perimeter?

From: InfoSec News (alerts@private)
Date: Mon Feb 04 2008 - 00:03:10 PST


http://www.news.com/Security-perimeter-What-security-perimeter/2010-7347_3-6228252.html

By Phil Dunkelberger
January 31, 2008

One of the questions I'm frequently asked is, "If perimeter-based data 
security strategies are breaking down, why aren't more companies using 
encryption to protect their confidential information?"

Although I'm not sure I agree completely with the question's premise, I 
believe what we're seeing has less to do with the role encryption will 
play protecting confidential information than the rate at which 
enterprises can really upgrade their core information infrastructure.

Encryption is not the kind of technology that can be "painted on" an 
existing set of information technology assets. Achieving comprehensive 
enterprise data protection requires a change in both policies and 
technology at the architectural level, followed by deliberate deployment 
everywhere sensitive information resides. 

As one of my favorite chief information officers observed, "Rome wasn't 
built in a day, and that was a far easier goal to accomplish."

What I've observed, particularly in the last year, is the growing 
understanding by IT security professionals that Gen. Patton was correct 
when he observed that "fixed embattlements are monuments to human 
stupidity."

With the vast majority of mission-critical data now being created and 
consumed on mobile devices outside most corporate security perimeters, 
data security experts globally have realized that fixed data 
embattlements are a necessary but insufficient component of a 
comprehensive enterprise data protection strategy. These companies are 
rethinking their security strategies, and the leading firms (primarily 
in financial services and manufacturing) are implementing solutions that 
assume there is no perimeter in the classic sense. Most if not all of 
these new approaches involve broad deployment of various encryption 
technologies.

The Jericho Forum has been promoting this concept of 
"de-perimeterization" for a number of years. What I'm seeing from the 
largest PGP Corp. customers is a belief that security now must travel 
with the data wherever it goes throughout the world. Because upgrading 
the security policies and technology in a large enterprise takes time 
and careful planning, however, this is not the type of trend that pops 
out fully formed--like a YouTube or Facebook--but evolves over time to 
address changing threat models.

The other phenomenon driving this trend is the growing understanding 
that no institution is immune to the type of breach experienced by TJX 
in early 2007, or even the massive breach the British Treasury 
experienced in late November in which an employee burned extensive 
personal information on 25 million British subjects onto two CDs and 
dropped them in the mail--never to be seen again.

So although de-perimeterization and the assumption that all firms are 
vulnerable are the current drivers for encryption adoption, there's a 
third, less well-understood phenomenon I believe will become 
increasingly important in the next two years: the hard dollar costs of a 
breach.

TJX disclosed recently that it may spend $500 million mitigating the 
effects of its breach. The most recent study by the Ponemon Institute, 
which tracks the cost of breaches, estimates that each compromised 
record costs an affected company $197, up 8 percent from 2006 and 43 
percent from 2005. I expect both the number of breaches and the 
cost-per-breach to increase in the short term as the profitability and 
popularity of identity theft rise in the increasingly organized 
international criminal community. This trend will, in turn, put 
increasing pressure on public and private institutions to protect 
sensitive data regardless of where it resides in the enterprise. 

The final factor affecting the rate at which encryption technologies are 
deployed is the knowledge that to protect all data in motion and at rest 
in a large enterprise effectively, it isn't enough to deploy one point 
solution for e-mail, one for laptops, a third for shared storage, and so 
on. Most CIOs know from hard experience (and early public-key 
infrastructure deployments) that a combination of such point solutions 
usually leads to data that is actually less secure and/or less available 
to those who need it.

Encryption by itself is not the answer, and the fact is that building or 
deploying a simple, single application encryption technology just isn't 
that hard. The magic of enterprise data protection occurs when it is 
combined with a comprehensive data protection policy and key management 
system, and encompasses all of an enterprise's business, compliance, and 
security requirements.

Building systems that meet these criteria is hard and should be 
undertaken only when implementers truly understand all of the 
enterprise's threat models and have identified the most cost-effective, 
scalable solutions.

-=-

Biography: Phil Dunkelberger is chief executive of security software 
company PGP Corp.

Copyright 1995-2008 CNET Networks, Inc. All rights reserved.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Mon Feb 04 2008 - 00:17:49 PST