Deperimeterisation has become the latest buzzword garnering interesting in IT security management, but it is also attracting controversy. Its central proposition is that the current approach to information security is untenable given the proliferation of mobile devices, remote working, internal threats, outsourcing and corporate networks opened up to partners and customers. Current systems, reliant on perimeter security, are characterised as having a ‘hard shell and soft centre'.
The proposed solution to this is a complete re-architecting of the security infrastructure; less reliance on firewalls and more data-level protection. But while many have argued over the theory, few have put it to the test in practice.
Oil giant BP is one of the brave few to have attempted deployment of such architecture. Dr Paul Dorey, chief information security officer at BP, is a founding member of the Jericho Forum, a group of blue chip security chiefs, and chief proponents of deperimiterisation.
"The perimeter has already been breached and the security problems are with us," he says. "In security we could well have started to paint ourselves into a corner. It's time we recognised that and found our way out." That makes deperimiterisation inevitable, he adds.
BP is a highly distributed organisation, with significant operations in over 135 countries. It has 110,000 employees, the majority of whom are highly mobile, and thanks to extensive use of contractors, partners and outsourcing, a further 200,000 people work in and around the company. The nature of the industry means that competitors are often joint venture partners too.
"It's hard to draw the line that says ‘This is BP and this is another company'," says Dorey. While legal factors and corporate governance do make for some clear divisions, "you can't do it by buildings and you certainly can't do it easily nowadays by even networks. We are pretty much the virtual enterprise archetype."
This means that BP has had to tackle its security model sooner than most, though Dorey predicts that most companies are heading in this direction.
The current malaise
The current BP architecture has the usual combination of clients and servers, protected by firewalls to keep out what Dorey, with tongue in cheek, calls the "extremely wicked Internet". When the company works with partners and on joint ventures, it creates a "slightly naughty" extranet that is "controlled somehow by both parties and there are firewalls either side".
Those extranets are expensive to run but more importantly slow to install, and with oil projects clocking up millions of dollars a day, delay can be damaging. "So we're saying: Wait a minute, aren't we holding up our business again?'" confesses Dorey.
However, while agility is important, a security breach would also hold up the business. If one corporate PC is infected with a virus or worm, it spreads around the company very quickly.
But Dorey believes there is a solution to both problems: moving applications on to the Internet. "Does an Internet bank care if a client's system is infected? Not really," says Dorey. "Does it bring down the bank's network? No. The banking application might reject them if it's smart, but it doesn't infect other systems inside the bank because it's all kept on the Internet."
The security measures – layered firewalls, load balancing ‘demilitarised' zones, monitoring – are put on a host pointed at the Internet. Anyone wanting to log in simply goes to the correct URL to receive a user ID. The solution is both agile and secure, says Dorey, although it looks to gain initial acceptance from dealings with third parties rather than senior executives conducting sensitive business. "The architecture we want to move to is to not have a corporate network at all, but actually use the Internet," says Dorey.
If someone tries to connect with an infected machine, it does not matter because it is out on the Internet – a considerably more robust infrastructure than a corporate network.
Living on the Net
About 10,000 BP employees are now "living on the Net" in this way. These users have been risk-assessed as having office-type behaviour and are typically road warriors, so they have the most to gain and the least to lose from the new model.
They get their patches direct from the vendors' websites, with direction from BP's IT department. From time to time, BP's security team brings clients into the network to check that their settings are correct. If something is wrong, they point them to the correct website to remedy the problem.
"Our risk assessments have so far found that they are better protected than the clients inside the corporate network," says Dorey. He acknowledges that this approach created new problems. Sending data across the Internet requires encryption, for which BP uses SSL, for example to connect to the external email system. A particular concern is securing data held locally on the machine, so BP is investigating digital rights management to help put protection at the data level. Without a firewall, users lose the ability to monitor or block port traffic, and any product solving this would need to do so in a distributed architecture. Other gaps that need filling in vendors' current offerings include authentication services that operate between third parties and trust broking capabilities.
But there is a dearth of products available today that can cater to these needs. BP has had to bolt together three different vendors' products to get to where it is today, though poor integration and interoperability between them made this a tough job.
This is where the Jericho Forum comes in, to stimulate better communication between the user and vendor communities. While it is easy to chastise vendors for selling poorly suited products, they "have only been selling what customers have asked for," he says. Users need to take more ownership of the problem, explain the realities of their working practices, he adds.
The Jericho Forum leaders want to "start talking about these dirty secrets that people have been chasing after and feeling inadequate about" – including not being able to guarantee 100% security. "We're saying, don't feel inadequate, no-one can do it – it's impossible. You'll put in more and more money and never get there.
"And we're saying to the vendors, we can give you something you've never had: a user community that can articulate what it wants."