Posted by: adelvecchio
A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. An integral part of our risk assessment engagements is a thorough architecture assessment. We like to explain it as working logically from outside of the organization to the inside, all the way up to executive management. In a four-part series of posts, I’ll look at perimeter security, network security, host security, and administrative security as distinct elements in an overall information security architecture and explain the best way to evaluate the current state of each.
Perimeter security is likely the most familiar concept in information security, as most people have at least heard of a firewall and the resulting concept of trusted and untrusted networks. But as time evolves, the topic of perimeter security too evolves. At its core, perimeter security seeks to protect an organization from threats outside its four walls (including virtual location walls). Since the birth of the Internet, security professionals have been focused on the threats associated with connecting our systems to a larger, untrusted network, but the nature of technology being ever-evolving means that along the way, the definition of the “perimeter” has expanded.
Not only have organizations become more virtualized in their locations and employee office allowances/expectations, but with the introduction of radio waves and the widespread adoption of WLAN technology, even the concept of ingress/egress has changed drastically. Focus on enterprise-wide authentication and authorization for access to the radio-waves became paramount in an effort to construct virtual walls around this new, highly desirable technology.
Prior to WLAN becoming mainstream, points of ingress/egress were almost exclusively limited to the realm of “the telco” (i.e. WAN circuits and dial-up modems), which explains why almost all of us technical security geeks had to wear a part-time telco hat in addition to our full time InfoSec hat. As “always on” connections became more ubiquitous, focus shifted from modems to virtual private networks, and again, the view and nature of the threat associated with the perimeter shifted. No longer was it safe to assume that an authenticated remote user was a known commodity or that he was alone in his access to the network. Access control as high up the open systems interconnection stack was now a permanent fixture in the discussion around remote access.
Given these few examples, it’s easy to picture the definition of the perimeter continuing to evolve over time. In fact, it would be naïve not to recognize that. The most important part of evaluating perimeter security — as part of an overall enterprise architecture assessment — is to recognize that because of technology advances the definition of the perimeter is subject to change faster than any other single element within the architecture. Being open to and knowledgeable about what currently comprises the perimeter, as well as its security best practices are key elements to ensuring a thorough information security architecture assessment.