For two decades, the dominant security model has been location-centric. We instinctively trust insiders and distrust outsiders, so we build security to reflect that: a hard perimeter surrounding a soft inside. The model works best when there's only one connection to the outside, offering a natural choke point for firewall defense.
Of course, nowadays most of the operating assumptions behind this model are false. The perimeter is permeated by dozens of connections to the outside world. Mobile devices and users regularly cross the perimeter and plenty of "outsiders" have access to company resources. But the most glaring discrepancy is that we treat network identifiers (IP addresses) as authoritative identifiers even though they are fleeting and imprecise.
IN PICTURES: 10 scariest hacks from Black Hat and Defcon
Increasingly, companies are shifting the security model to an identity-centric model where users are explicitly authenticated and their ID is tracked through the various security layers. This makes the policies easier to manage and more secure as we no longer use the IP address as a "proxy" identifier in place of users, but instead identify the users regardless of their location or IP address.
The shift from location-centric to identity-centric security has been ongoing for a few years now and will likely take a while before becoming the predominant security model. In the meantime, most companies end up with a hybrid model of both location- and identity-centric elements. The perimeter is still important, but is increasingly just one of the layers of protection and is supplemented by strong user authentication, application controls and user-centric logging and auditing.
There's one area of security that is still solidly location-centric and that's compliance. Because of the high cost of regulatory compliance, most companies use a strategy of "scope containment" to keep compliance in one corner of the business and not have to make the entire infrastructure compliant. So, for example, if a company has to comply with PCI, it doesn't make its entire environment PCI compliant but rather it segments the PCI components from the rest of the network and limits the scope of the regulations to only one network segment. Of course, this is an entirely location-centric model, which contradicts the overall trend toward identity-centric security.
Eventually, most companies will have to reconcile these two security models and move to identity-centric security across the board; it's the only way to maintain security in a mobile and dynamic world. This will mean addressing compliance through virtual segmentation rather than physical segmentation, opening a whole new market of virtualized security for compliance.