Your perimeters are "porous", companies told

Security professionals have been advised to accept that organisations' perimeters are now open, and to start designing future systems architecture to account for this.

In a debate at the Infosecurity conference in London on Wednesday, security experts argued that maintaining security at the boundaries of an organisation had become unworkable, thanks to an increasingly mobile workforce, internet interaction with customers, partnership programmes between organisations, and third party contractors who work and communicate over the web.

Paul Simmonds, global information security director for ICI, said: "As organisations, our perimeters are becoming more and more porous.

"Hackers target email and web applications to get into the organisation. We have umpteen people managing our systems - contractors, who themselves sub-contract, probably to India. Deperimeterisation has happened whether you like it or not."

Deperimeterisation - where the security emphasis is moved from the edge of the network and onto individual devices, and ultimately to individually encrypted data packets - became a fact for ICI with increasing employee mobility, Simmonds argued.

He said: "ICI has 6,000 laptops roaming around the world. The bottom line is that they are connecting outside of ICI's closed environment. This is the industry's dirty little secret - 'You know that expensive firewall I bought last year? Well, it's no longer enough'."

Nick Bleech, IT security director for Rolls Royce, said security professionals should not drop their current perimeters but instead should plan for the future.

Bleech said: "This is about the next five to 10 years. From an architectural perspective we have to start thinking away from the perimeterised paradigm."

Both Bleech and Simmonds are members of the Jericho Forum, a group of blue-chip companies that advocates security through deperimeterisation and open standards. BP, another member, is putting its laptops directly onto the internet rather than its local area network.

On the other side of the debate, Mark Waghorne, principal adviser for KPMG, argued that in fact there was no such thing as deperimeterisation, and that instead organisations should redefine their boundaries.

Waghorne said: "If anything, the world is heading towards reperimeterisation. You have to look at how you manage your assets. To suggest the only sensible architecture needs to be built on the deperimeterised paradigm is irresponsible. Would you put your trading, or process control network on the internet?"

Bleech replied that organisations' supervisory control and data acquisition systems (Scadas) are already vulnerable to attack because they link to web-facing business systems.

He said: "The reality is Scada systems have 12 different business systems feeding into them."

Dan Blum, senior vice president and research director for Burton Group, disagreed, and said deperimeterisation was not an architecture but rather a process. "In many cases we're being forced to deal with a sub-optimal situation," said Blum. He recommended perimeterising "zones of trust" for the enterprise.

Blum added: "We have a restricted zone for the backend, a protected business zone, and an outer zone allowing access to the net. These perimeters are maintained by dedicated firewalls. You can control data flow and use between the different zones."

The debate ended with a vote from the audience of security professionals, who overwhelmingly agreed that responsible security architecture should be based on deperimeterisation.

Tom Espiner writes for ZDNet UK