On the security road to 'de-perimeterization'

I first heard the term "de-perimeterization" back around 2004. This expression was attributed to the Jericho Forum, a group of chief information security officers and industry leaders who anticipated a new business requirement and security challenge. Jericho Forum knew that ubiquitous global connectivity spelled the end of the network "walled garden"--private corporate networks protected by perimeter devices like security gateways and firewalls. As more and more organizations opened their networks, developed externally focused applications, and welcomed new, untrusted users, information security was bound to get a lot more difficult.

According to ESG Research, the 2004 Jericho Forum vision is now a solid reality. In a recent survey, 60 percent of enterprise (i.e. organizations with more than 1,000 employees) share confidential data with non-employees. In other words, the data is flowing beyond the "walled garden" on a regular and increasing basis.

Jericho Forum now makes its home at the Open Group office in Reading, U.K., and is dedicated to open standards that make global data sharing and collaboration more secure. For my part, I fully support this effort. Here are a few standards that would help in this effort:

1. Key Management Interoperability Protocol (KMIP). This standard is being driven by EMC, IBM, Hewlett-Packard, Thales, and a few other vendors. The thought here is to provide any-to-any connectivity between cryptographic devices and key management systems. This could pave the way for encryption key sharing and key management system communication across disparate organizations.

2. Open Authentication (OATH). The thought here is to provide a reference architecture for strong authentication (i.e. tokens, smart cards, biometrics, etc.). Good idea but industry wrangling and politics seem to be holding this one back. I don't really care if OATH itself succeeds but we need an open authentication reference model ASAP.

3. Extensible Access Control Markup Language (XACML). Authentication gets you by the bouncer and in the club. Not everyone who gets inside has equal privileges however. How do you separate the VIPs from Joe Average? Entitlement management. XACML has the potential to make entitlement management much easier and responsive than it is today.

This is just a sample. Please comment on others that should be included on a more exhaustive list.

We also need standard tags for data classification and confidential data security policy enforcement. If an Excel spreadsheet contains Social Security numbers, the file should have a standard meta data tag that tells operating systems, e-mail, and gateway filters to take special actions like encrypting the file or preventing a user from making a copy to a USB drive. This type of standard would make enterprise rights management far more mainstream. If Microsoft and Adobe Systems teamed up, they could really accelerate a standard in this area.

Jericho Forum was spot on in 2004, but as an industry we are still dragging our feet. If this continues, the security industry could actually become a real, not just a perceived, business bottleneck.

[ManuNamboodiri]

Interesting post. The concept of de-perimeterization is very valid. There is no way one can protect every device, perimeter or network - the better approach will be to complement the existing protection with an information-centric approach. I.e. protect the data itself.

I would also add to the three points the idea of universal/standardized policies (you touch on this above). How does one represent access controls, classifications, policies to prevent printing etc so that a document protected by one product can be collaborated with using another product? And maybe to push the Microsoft analogy further, some of these "actions" could be embedded in the OS itself - why should every application be modified in order to prevent printing or copying? If the OS could have APIs that enforce based on policies embedded within documents, it might become easier to get to more application independent ERM solutions...

Disclosure - I work for BitArmor

[ayeomans]

The other essential standard is an open data format for protecting data.

You allude to this in your suggestion of Microsoft teaming with Adobe, but the problem is simultaneously simpler and more complex than current ERM. The business requirements that Jericho Forum have been considering differ somewhat from the design goals of current ERM (which have mostly come from the digital media industries). For example, data classification is really a process, not a single-point-in-time label, and changes through the lifetime of the data. Sometimes the rules can be defined in advance, but not always. And when collaboratively transferring data between different organisations, each organisation's rules may differ. Regulated industries often require a full audit trail of data, and a ERM system that allows the creator of that data to arbitrarily deny access is just not acceptable to the auditors. So there are complexities in how to express a usable security policy for that data.

However, the protection itself is a rather simpler issue, as we don't have many options apart from encryption. My strawman proposal for a open interchange format is an encrypted ZIP archive. That supports any file format, and also handles multiple objects. It allows the policy rules to be stored with the data, perhaps using XACML syntax held within a separate control file within the archive. Current operating systems already have some support for ZIP files, which helps answer Manu's point. These would need extending to provide a policy decision/enforcement point, linked to the key management system. But this would then work transparently on all files.

Andrew Yeomans - Jericho Forum