Hardened perimeter not always best

A hardened perimeter strategy is now at odds with business needs.
Read time 4min 00sec

New technologies and the pervasiveness of the Internet led to new solutions being sought, away from the typical 'hardened perimeter'.

It is fundamentally accepted that most exploits will easily transit traditional perimeter security, and can typically be transported through e-mail, Web and encrypted traffic such as SSL, VPN, VOIP, etc.

A hardened perimeter strategy, although good practice five years ago, is today at odds with current and future business needs - and is fast becoming an unsustainable model for organisations to adopt. That said, this doesn't mean that companies should be removing firewalls, replacing gateway security and opening up all data to the Internet.

The pervasiveness of the Internet and the introduction of more mature service delivery mechanisms such as broadband are driving a strong "I need access" mentality for every man on the street. This has enabled organisations to become more competitive and deliver faster services, not only to their employees but to third parties and extended business partners.

This has, however, introduced several challenges in securing information and resources. How employees and partners access and distribute this information has inevitably led to the vendors' drive for developing and selling endpoint security technologies.

The aim of endpoint security is to eliminate the exploit of vulnerability on the end-user machine to minimise the risk of an intrusion into the corporate network via the weakest link: the corporate/home user.

Endpoint security will become increasingly important to organisations as they adopt in the cloud, and software as service delivery models. The adoption of in the cloud (Internet hosted applications and services - Web 2.0) will be the primary contributor for real 'deperimeterisation' as all shared services - and applications will neither be owned nor managed by the organisation.

In the cloud services are already being adopted by small, medium and large enterprises across the globe for application delivery. Several have gone as far as hosted, branded e-mail and gateway security that is being delivered from Web-connected data centres whose sole function is the delivery of secure mail and archiving services.

The concept of deperimeterisation can be summarised as follows, with four basic phases to achieving deperimeterisation, now and into the near future:

* It's how we solve the business needs for our businesses without a hardened perimeter.
* It's how business can leverage new opportunities because there is no hardened perimeter.
* It enables access to a set or sets of offerings/solutions that weren't previously available.
* The delivery and use of open and interoperable services.


Endpoint security will become increasingly important to organisations as they adopt in the cloud, and software as service delivery models.

Logan Hill is a business unit executive at Faritec

Phase one: Moving beyond the perimeter is what most organisations are already doing and this is simply the delivery of external services outside the corporate perimeter allowing access to information based on role and function.

Effectively, this is enablement of an Internet-connected mobile workforce connecting from home and on the road.

Phase two: Removal of the hardened perimeter to allow system to system connectivity by third parties and business partners that could typically be driven by solutions such as remote/home office encrypted VOIP connectivity and hosted in the cloud data centres for general application sharing.

Phase three: Near future - No perimeter exists for the organisation where users are governed by connection level authentication and data level encryption utilising on the fly authentication for granular access, application usage, external access, and resource usage.

Phase four: Future - Data level authentication whereby encrypted data stored on disk will have specific read and write privileges tied to the original author that may only be shared, and or distributed, by the original author. Data will be able to be copied by the original author to any shared system across the Web with the same read write access privilege transferred as before.

So we can do all this tomorrow? Hardly likely. However, there are some broad timelines that each of the phases have fallen into or will fall into. The question is: which will you be?


Phase one: Corporate 2002-2006 and small medium business 2006-2008
Phase two: Multinational corporate 2006 - 2007 and corporate 2007-2008 and beyond
Phase three: Early adopters 2007-2008
Phase four: Bleeding-edge 2007-2010

* Logan Hill is a business unit executive at Faritec.

Logan Hill

Business unit executive for security and availability at Faritec.

Logan Hill is a certified information systems security professional and was recently appointed as business unit executive for security and availability at Faritec. He has been at Faritec for three years, where he is responsible for business solutions development within the security offering. Hill recently specialised in the public sector, designing multiple security functions for the protection of critical information systems, information availability, retention and redundancy.

See also