IT Security: Perimeter Protection No Longer Enough
Clearly there are two factors driving security. On the one side is the immediate attention that new outbreaks of worms are getting and on the other hand the more strategic, long-term securing the network. From a more technology perspective, its pretty clear the way we have been protecting ourselves over the five or six years is also changing drastically. We have been really focused, in the past, on protecting ourselves externally well at the perimeter. That's really one of the significant shifts I see happening in the industry, is people are looking to do the same level of protection on the inside devices that they have been doing on the perimeter.
Why is this occurring?
"We have seen last year with the events of Blaster, for example, that those worms actually have caused more damage inside organizations' networks than on the Internet. We have been doing a very good job on the perimeter but really it's now time to take a step back and look [to] where is the next attack vector; where are they happening? And it's pretty clear they're happening inside networks."
It seems that most of the damage from worms such as Blaster is the clogging of corporate networks. Could these worms actually lead to more advanced attacks that will be more malicious?
"It's clearly a very similar trend to what we have seen in the anti-virus industry. The very early viruses were prototypes for what then became virus-building kits or virus tool kits and then those tool kits are very easily being used to build new viruses. I see the same happening here in the worm and malicious code area even in the MyDoom case we have seen already the fact that one worm came out on Monday and a derivative was already existing two days later."Is this why there is a move away from simple perimeter protection to device-level safeguards?
"Yes, I think it's really coming down to two things. The perimeter-level protection is no longer a valid defense and when you do a proper protection at the end node ... then you are reasonably well protected."
With so many attacks still spread via email, where does the importance of employee education efforts fall on the security scale?
"It's actually quite an important one. If you look at security it's not a pure-play technology issue. It's people, process and technology. We continually need to do a better job on educating people about how to use technology in a secure manner and to again repeat what has been told so many times before, not to click on email attachments coming in even if their coming from friends. It has to be a general policy for the organization."
What more can be done?
"Many organizations are starting to put separate guest networks in place where (temporary and contract employees) have limited access to resources within the organization applying the same techniques we have been doing on the Internet for a long time. This is happening as we speak. There is no need for a temporary consultant to have access to whole network."
With the popularity of Web services gaining ground daily, does that technology make your network more or less secure?
"Web services ... have enforcement mechanisms built in by nature and therefore those Web services have an ability where you don't need to worry about internally structuring access instead its basically part of what the Web service provide to you."
What effect are ever-expanding network access points and Web services having on security? "This is a big, big problem companies have today: to notice on a methodical and regular basis ... 'What does my perimeter look like?' What devices are there, what resources are exposed, what services are out there? I wouldn't necessarily say this is related to Web services. This is more like a general process issue companies have today. This could happen with any application. It's not limited to Web services."
Finally, what is more important for good security, governance or technology?
"I think the technology is the means to deliver (services). It's all about the respective processes around it. It's really, again, the combination of people, process and technology. The process part is definitely a very important and significant part. You can build the greatest technology (but) if it's not properly leveraged, if it's not properly configured and it's not properly maintained, you are not going to get the benefit if you had, on the other hand, done a good job of putting the right processes around it."
Want to discuss the issues raised in this Q&A? Take it over to our IT Management Forum.