Perspective: Security perimeter? What security perimeter?

One of the questions I'm frequently asked is, "If perimeter-based data security strategies are breaking down, why aren't more companies using encryption to protect their confidential information?"

Although I'm not sure I agree completely with the question's premise, I believe what we're seeing has less to do with the role encryption will play protecting confidential information than the rate at which enterprises can really upgrade their core information infrastructure.

Encryption is not the kind of technology that can be "painted on" an existing set of information technology assets. Achieving comprehensive enterprise data protection requires a change in both policies and technology at the architectural level, followed by deliberate deployment everywhere sensitive information resides.

What I'm seeing from the largest PGP Corp. customers is a belief that security now must travel with the data wherever it goes throughout the world.

As one of my favorite chief information officers observed, "Rome wasn't built in a day, and that was a far easier goal to accomplish."

What I've observed, particularly in the last year, is the growing understanding by IT security professionals that Gen. Patton was correct when he observed that "fixed embattlements are monuments to human stupidity."

With the vast majority of mission-critical data now being created and consumed on mobile devices outside most corporate security perimeters, data security experts globally have realized that fixed data embattlements are a necessary but insufficient component of a comprehensive enterprise data protection strategy. These companies are rethinking their security strategies, and the leading firms (primarily in financial services and manufacturing) are implementing solutions that assume there is no perimeter in the classic sense. Most if not all of these new approaches involve broad deployment of various encryption technologies.

The Jericho Forum has been promoting this concept of "de-perimeterization" for a number of years. What I'm seeing from the largest PGP Corp. customers is a belief that security now must travel with the data wherever it goes throughout the world. Because upgrading the security policies and technology in a large enterprise takes time and careful planning, however, this is not the type of trend that pops out fully formed--like a YouTube or Facebook--but evolves over time to address changing threat models.

The other phenomenon driving this trend is the growing understanding that no institution is immune to the type of breach experienced by TJX in early 2007, or even the massive breach the British Treasury experienced in late November in which an employee burned extensive personal information on 25 million British subjects onto two CDs and dropped them in the mail--never to be seen again.

So although de-perimeterization and the assumption that all firms are vulnerable are the current drivers for encryption adoption, there's a third, less well-understood phenomenon I believe will become increasingly important in the next two years: the hard dollar costs of a breach.

TJX disclosed recently that it may spend $500 million mitigating the effects of its breach. The most recent study by the Ponemon Institute, which tracks the cost of breaches, estimates that each compromised record costs an affected company $197, up 8 percent from 2006 and 43 percent from 2005. I expect both the number of breaches and the cost-per-breach to increase in the short term as the profitability and popularity of identity theft rise in the increasingly organized international criminal community. This trend will, in turn, put increasing pressure on public and private institutions to protect sensitive data regardless of where it resides in the enterprise.

The final factor affecting the rate at which encryption technologies are deployed is the knowledge that to protect all data in motion and at rest in a large enterprise effectively, it isn't enough to deploy one point solution for e-mail, one for laptops, a third for shared storage, and so on. Most CIOs know from hard experience (and early public-key infrastructure deployments) that a combination of such point solutions usually leads to data that is actually less secure and/or less available to those who need it.

Encryption by itself is not the answer, and the fact is that building or deploying a simple, single application encryption technology just isn't that hard. The magic of enterprise data protection occurs when it is combined with a comprehensive data protection policy and key management system, and encompasses all of an enterprise's business, compliance, and security requirements.

Building systems that meet these criteria is hard and should be undertaken only when implementers truly understand all of the enterprise's threat models and have identified the most cost-effective, scalable solutions.

Biography
Phil Dunkelberger is chief executive of security software company PGP Corp.

More Perspectives

[skswave]

Phil you forget to mention TPMs

Phil,

Nice article but you neglect to discuss the industry standards authentication technology for deperimeterization. Trusted platform Modules are now in all corp computers. This is a hardware security chip that will create and hold the keys that are used for VPN access, WIFI access and windows logon. The reason that IT should be turning on the TPMs is that they will provide hardware protection of the access keys so that they can never be stolen by a virus or maleware. Almost all of the existing VPN and WIFI solutions support TPMs. You referanced TJX they actually had a WIFI connection security problem That would have been solved by using Their TPMs and WPA2 encryption. It is time to provide all of the IT shop practical advice on how to address securing their mobile users. Encrypt the data on your hard disk use software for the installed base and buy hardware encryption for new machines as part of the harddrive. Turn on the TPM and use it to store the keys for your VPN and WIFI connection (ask your network equipment supplier for supplemental instructions for the TPM or your PC manufacturer)

Steven Sprague
CEO
Wave Systems Corp.

[joncallas]

We definitely believe in TPMs!

Stephen,

Thanks for the comment. We're firm believers in TPMs we have
even done the extra work to support many of the older TPMs
that are present in previous-generation corporate computers.

You're absolutely right that a TPM-based authentication system
could have helped TJX. But also remember that at the time that
they were hacked, this wouldn't have been possible for them.
Also, they would have had to implement it correctly, and the
hack occurred because of incorrect implementation.

The TJX story is a lesson to us all because it was a targeted,
criminal attack on the financial system using the weaknesses in
a retailer's network. It shows that we all have to be vigilant as a
community and police ourselves better because a flaw in one
place can cause problems for many, many people.

That means security everywhere. TPMs are an important part of
security everywhere, but like any single subsystem, they are only
part of the total solution.

Regards,
Jon Callas
CTO/CSO PGP Corporation

[wbenton]

ISMS Standards

The purpose of ISMS in IT is to ensure the protection of data. Within those ISMS guidelines, they cover data encryption amongst other things.

One of them being data encryption for USB memory sticks as well.

These and many other policies are covered within the ISM standards.

All one has to do is to read, survey and implement them as they're written!

Sure it may take time, but hey... as the article says... Rome wasn't built in a day. And as such, security must start somewhere.

Thus even though the final process may take a little while, it won't start until one decides to follow proven procedures.

And ISMS standards are such procedures!

Walt