Security today means playing ‘defense-in-depth’

As recently as three years ago, if you asked IT executives to describe their information security strategies, you’d get an earful about “perimeter hardening” (carefully firewalling all points of the network connected to third parties). The idea was that if you locked down access to your network, you’d automatically protect applications, data and resources.

That approach worked fine for a while. But anyone who bases a security strategy on perimeter hardening these days is headed for trouble. Most large organizations today are taking an information-protection strategy known as “defense-in-depth” that’s more comprehensive (but also more challenging) than previous approaches.

Defense-in-depth lets IT executives more effectively tie their network security strategies into the overall organizational “information stewardship” policy. As noted in my last column, over time I believe the discipline of information stewardship will encompass not only information management but security, storage and recovery – which makes migrating to a defense-in-depth architecture even more critical.

The fundamental challenge? You can’t achieve security by keeping all third parties off your network. That goal is virtually impossible to attain: 100% of IT executives who participated in a recent Nemertes security benchmark said they granted third parties at least some access to sensitive resources.

Even if it were possible, doing so would preclude many critical business processes, which require organizations to be able to communicate effectively with partners, customers and suppliers. The world is increasingly externalized, and any security strategy that doesn’t recognize this is a non-starter.

And as we all know, outsiders aren’t always the bad guys. Insiders commit the majority of computer security breaches (80%, according to a CSI/FBI 2003 survey).

To create an effective defense-in-depth strategy, IT executives need an architecture that intelligently grants permission to applications, data and resources. Typically this means deploying identity management systems that recognize the identity of an individual or application attempting to gain access and map it against the policy for that type of access. That, in turn, requires a highly detailed understanding of what is being protected and from whom.

It’s often the data (not applications or devices) that’s most critical, thanks to privacy and accuracy regulations most organizations must now comply with. This has many implications. Network managers might need to revise encryption strategies, replacing link-layer encryption (which protects data on the wire but not in the system) with end-to-end encryption that protects data from unauthorized access even by insiders. Obtaining root-level access to routers and servers shouldn’t provide access to data; even database administrators might not get to see all the records that, say, business managers might see.

Bottom line: Network managers should reassess their security architectures in the overall context of “information stewardship” – and enabling defense-in-depth is a great first step.