As end users at different companies conduct more business with one another via the web, corporate information security strategies are being turned inside out — literally.
IT managers and security specialists have spent many years and billions of dollars erecting sophisticated defences designed to keep intruders out of their networks. But they’re discovering that the network perimeter isn’t what matters so much anymore. Now what’s important is protecting the data within those walls, security managers at the recent RSA Conference 2007 in San Francisco said.
That realisation is being driven, they said, by the accelerating trend among companies to collaborate online with their suppliers, business partners and customers.
The “de-perimeterisation” of corporate networks that has resulted from this collaboration is forcing companies to rethink some of their entrenched security procedures, said Paul Simmonds, global information security director at Imperial Chemical Industries in London.
He said future security strategies would need to focus on the fact that access to corporate data can no longer be contained within traditional network boundaries. “What’s coming is IP anytime, anyplace, anywhere,” he said, with IT security enabling that access, not hindering it, as network security perimeters disappear.
Older “castle and moat” security architectures assumed that a firewall would keep out all intruders, said Deven Bhatt, director of corporate security at Airlines Reporting Corporation. Firewalls are becoming “useless”, he added. “Every day, you’re creating more and more openings in the firewall, so it isn’t even a firewall anymore.”
What’s needed now is the ability to more thoroughly authenticate and authorise users and then to monitor their activities, Bhatt said.Dennis Hoffman, vice president of information security at EMC, which owns RSA, said companies will have to adopt a three-pronged approach as they seek to implement information-centric security strategies. Hoffman’s mantra: “Maximise access control, minimise the amount of data that leaves your security zone and encrypt the rest.”
In order to allow authorised users to access information whenever and wherever they want, the authentication of users and computing devices has to become a top priority, said Mike Schutz, a group product manager in Microsoft’s networking and security unit.
The security of a network has typically been defined by the firewall erected in front of it. Now the focus should be on extending the network boundary as needed by users, said Schutz. “Your laptop, regardless of where you go, should be part of the network.”
Some of the changes now being implemented aren’t entirely new, said Lynn Goodendorf, vice president of information privacy protection at the US subsidiary of InterContinental Hotels.
“But there is a new emphasis on [data protection] now because of the maturity of the information security profession.”
Increasingly, she added, corporate executives are also “starting to think of information as an asset that has some type of financial value to the business.”