With all of the recent focus on locking down our national borders and the Minutemen, I am given pause to consider the parallels with perimeter security on corporate (and other organizations') data networks.
Amidst all of the partisan accusations of racism and protecting our national security lies the truth somewhere in the middle. We need to restrict criminals' access to our territory and we need the vital flow of immigrants and others into our nation. We also need to protect cornerstone ideals of our nation such as freedom and privacy rights.
We realize that our border checkpoints are unable to identify every criminal that attempts to enter or exit this country, but once we identify someone who is intent on criminal behavior we should expect that they be ejected and then identified and prevented in future attempts to enter this country or to avail themselves of our resources. Since we expect some criminal behavior (domestic or foreign) within our borders we need suitable defenses within (this is called 'defense-in-depth). For high profile 'targets', such as airports, we would do better to have a secure and trustworthy identification system that allows known users to suffer minimal disruption whereas unknown or new users to endure a more rigorous screening process until their trust has been established over time. For lower profile sites, such as retail stores, the silent alarm is adequate for bringing adequate force to bear on bad behavior. However financial systems which are increasingly hampered by fraud will see new mechanisms brought to bear, the aforementioned strong identification system would be helpful in this regard.
So too, in the electronic realm of network firewalls we see the dispute over perimeter security continue. Just as in the physical world, locking down the rules of network firewalls gives a false illusion of security. Bad guys find a variety of ways to circumvent firewalls, usually by simply going around them by finding a weak spot in the rest of the perimeter. Internal systems (PCs and servers) are loosely protected due to reliance on the protective illusion the firewall provides. At the same time tightly locked firewalls hamper legitimate business operations which are increasingly done in electronic form. The solution here is to add more layers of internal defense around critical servers that hold sensitive data (harden the OS, keep patched, anti-virus, use strong identity management systems/PKI with encryption, application level firewalls and logging and monitoring). PCs need to be capable of operating in hostile environments and capable of providing users with friendly and strong identity credential handling. The perimeter security model is often compared to an egg (or candy) which is 'hard and crunchy on the outside, but soft and chewy on the inside'. We know from experience the danger this model presents, once a 'bad element' has gained entry into the internal network the damage potential is extremely high. At one time networks were closed, but the reality is that organizations are opening their networks to outsiders; suppliers, consultants, outsourced service providers, partners, contractors, customers and visitors - at the same time employees are often traveling and expected to use their company laptops and handhelds on the Internet and remote networks as part of their work.
So too, our national border as well as our electronic borders must be protect us within reason and yet not hamper legitimate and desirable flows of people, commerce and ideas.
Let's agree that we welcome law abiding travelers, visitors, immigrants, students, workers and guests. Let's agree that we have a duty to prevent criminals from entering our nation. Our border checkpoints need to be smart in stopping known threats and our borders need to stop unidentified entry.
We can take this a step further using Barnett's model where we extend our perimeter to the borders of our allies. Each territory between us and the perimeter of the 'core' becomes a security buffer zone. I tried to articulate this in my presentation to the ISSA.
The Jericho Forum calls this deperimeterization although Mr. Pescatore dislikes the term.
Recent Comments