I just wrapped up the day at the Open Group’s Jericho Forum Annual Meeting.

Lots of good work has been going on within the Forum’s working groups. Unfortunately, other than attending the meetings and carrying the deperimeterization torch back in the office, I haven’t done anything to advance any of it. Many people I speak with looked at the forum’s work early on and wrote it off. I strongly suggest that you take another look if this is an area that interests or affects you.

I think my favorite quote of the day came from Nick Bleech, CSO of Rolls-Royce, who said, “Deperimeterization is happening. It’s not a strategy, it’s an ‘-ization.’ It’s like globalization–it’s happening.”

In the corporate environment, assets can be protected at various levels, ranging from an individual column of a database all the way up to the entire company. Traditionally, IT assets have been protected from outsiders at the network perimeter by firewalls and at the host or application level with passwords.

If perimeter firewalls are the Maginot Line, then most of us are still in the Sitzkrieg, waiting for the killer app or killer business change that’s going to fly over or roll around the perimeter firewall like it’s not even there.

Did you laugh the first time you heard HTTPs referred to as, “Universal Firewall Bypass Protocol?” If so, then you should realize that the waiting is over, you just haven’t noticed it yet.

The good news is that the frameworks and architectures necessary to move this from users “self-enabling” to something that the company can actually manage are about ready. Most of the “hard” problems seem to be well-enough under control from a technical perspective, meaning it’s time to see what happens at the business layer.

And that where the real fun begins. What are the implications of eroding perimeter controls to the business? What new risks are emerging that are not currently being identified, measured and managed as a result? What opportunities are also emerging, and what are the tradeoffs between the two going to look like?

Consider the outsourcing arrangements this makes possible if you can now offer technical controls to (you think) adequately protect your data in an outsourced environment. But how do you either make sure that your lowest-cost provider isn’t going to re-outsource your work to someone else in turn or manage the increase in risk incumbent in doing so? How much of a premium are you willing to pay the outsourcer for that extra restriction? How much should you be willing to pay?

Deperimeterization is increasing volatility in the business world. Businesses need to decide how they’re going to manage the increased risk that comes with it. Will they attempt to mitigate the risk and put the genie back in the bottle? That may work for a while, but only until someone else accepts it, takes bet and wins. At that point, those who chose mitigation are no longer competitive and it’s game over for them. Now that is truely “Security as an Enabler.”

What a great time to be in the Information Risk Management business.

Just a quick question if you have a moment. Do you specifically separate Information Security and IRM? Why and how?

I’m getting old. (And you should get tired of hearing this from me just about now)

Way back when, during the onslaught of deep packet stateful inspection firewalls there were talks abound that perimeter security doesn’t work. It never did. But silver tongues sold the idea of silver bullets to C-level execs and it worked more or less well for quite a while, more than a decade.

What I find quite remarkable is our inability to learn from other people’s experiences. Take castles as prime examples of how layered security should work. Those that were built by masters of their art are still around (if they weren’t used later on as source of building stones for houses around the area, that is), to show how a good defense in depth works. There’s the perimeter layer, a hard-to-pass (unnoticed) area; then there’s first perimeter, with strong defences; then there’s second perimeter, in case first gets breached; … and all that is usually overseen by corner towers that can only reached via a staircase that winds clockwise, to hamper attacker’s sword wielding.

Alas, many took the “we have a firewall, we’re secure” approach and then shot holes right through their perimeter walls. :-)

And now we have ‘deperimetarization’. Everything old is new again. Except that, for most businesses, it is laws and regulations that are increasingly driving the process of layered security, not the long term business vision.

I hail those that take the “security in layers” approach in their stride and run with it on their own accord, because it fits their vision, not because “everyone else is doing it”.

“Security is like onions, it makes your eyes burn and leaves you burping.”
– Steve Bellovin