Thanks to complex perimeters, sophisticated application-level threats, and regulations that hold CEOs and CIOs accountable for company data, security must now be regarded as more than a bunch of technologies tacked onto the network. “Companies are realizing they must approach security at the enterprise level,” says Rich Caralli, senior member of the technical staff at the CERT Coordination Center’s survivable enterprise management group. “Rather than chasing the latest threat, they’re working on identifying and securing directly the core business processes and information assets essential to the company mission.”
In fact, security is moving so deeply into business processes and infrastructure that it may someday disappear as a category unto itself. “As organizations develop more mature capabilities in business and IT processes, they’re seeing the significant security benefits,” Caralli says. “They’re moving beyond just patch management, for example, to configuration management or availability management.” No matter what you do in the enterprise, he adds, your function is likely to include information security.
If anything has eliminated the effectiveness of traditional perimeter security, it’s the growth of anytime, anywhere access.
“Companies used to depend on employees carrying around a notebook with a VPN for remote access,” says John Pescatore, vice president of Internet security at Gartner. “But with SSL VPNs, employees now access the network from home computers, other companies’ computers, kiosks, Kinko’s, and cybercafés.”
Pescatore recounts that at a recent RSA conference, he stepped up to a kiosk that displayed a venture capitalist’s e-mail revealing that company X was in for $2.1 million. Or, to take a less spectacular example, a dab of keyboard-logging spyware on a system at FedEx Kinko’s can easily capture an employee’s password and send it to an attacker. And because telecommuters often share their home computers, a little laxity by Junior as he downloads music on the same machine can breed infection, thereby compromising the corporate network.
Enterprises have also wrestled with the security implications of outsourcing, connections with partners and suppliers, and the growth of Web services. “They can’t just hope that the call center in India handling customer data or the company they outsource payroll or sales-force automation to understands and meets their security requirements. They must take into account the impact of an attack or infection on that company’s network,” Pescatore says. The same goes for connected partners and suppliers.
“No doubt Web services and applications reduce the value of traditional firewalls, as companies have to expose data to the world,” says Johannes Ullrich, CTO of The SANS Institute’s Internet Storm Center.
With more application-layer exploits sneaking past traditional firewalls as legitimate port 80 traffic, companies have turned to application-savvy intrusion prevention solutions, as well as application layer and XML firewalls placed strategically to protect specific sensitive data. In fact, these capabilities are increasingly merging with traditional firewall solutions.
“By 2006, when someone buys a firewall, they’ll also be buying intrusion prevention,” Pescatore says. He also sees XML and Web application security merging with content-filtering products, as evidenced by F5 Networks’ purchase of Magnifire.