|
Today, bounded environments ensconced within
clearly demarcated perimeters are giving way to a milieu where
gateways are obsolete. In this environment, the distinction
between insiders and outsiders is blurred, and organisations
neither have central administrative control over their information
systems nor do they have access to global view of events occurring
therein. In such an environment, it is almost impossible to
thwart cyber attacks. Traditional models of information security
fail to deal with the security problems associated with open-ended
environments.
Given the fact that no system is totally immune to attacks
in an unbounded environment, there is now an intense focus
on ensuring survivability of mission critical systems and
essential services, despite the presence of cyber-attacks.
Emerging technologies such as grid computing and web services,
make unbounded environments even more vulnerable, mandating
the need to build capabilities into systems such that they
have the resilience to survive an attack and continue to fulfill
their mission in a timely manner. The 'survive' philosophy
of modern information security is a big departure from the
'prevent' viewpoint of traditional security models.
Traditional Network Security
When organisations began deploying firewalls as security tools
a decade ago, they could easily define the network perimeter.
Most people who had access to corporate networks worked on
desktop computers in the main office; and external connectivity
was virtually non-existent. A simple firewall-based demilitarized
zone between the private and public network could provide
adequate protection. In this traditional network security,
the whole aim was to put into place firewalls and create an
environment to keep people out - much the same way as a fortress
was meant to keep attackers out. For centuries, rulers built
castles with moats and stone walls as protection from invaders.
These obstacles provided an effective first line of defence
against enemy attacks. In the traditional fortress model of
network security, firewalls and intrusion-detection systems
were meant to serve the same function as walls and moats.
Fortress security model
A major lacuna of the fortress model was its dependence
on trust for its success. Anyone outside the gate is suspect;
anyone inside is trusted. If someone got inside, they could
pretty much do what they wanted. In unbounded environment,
trust becomes an extremely complex concept. Trust is especially
difficult to establish in the presence of unknown users from
unknown sources outside one's own administrative control.
In unbounded networks where everyone is an insider and often
unknown, there are always numerous untrustworthy insiders.
A fortress model is only as strong as its weakest component.
If a trusted insider abuses his or her authority, or an intruder
finds an exploitable vulnerability in a security perimeter,
the entire system can be compromised.
Airport security model
The airport security model is based on the environment
that prevails in a typical airport. There are two significant
characteristics in an airport. Firstly, there is no differentiation
between insiders and outsiders. Everyone - airport staff,
security staff, and passengers - go through the same security
scrutiny. Secondly, there are many logical layers of security.
Passengers authenticate themselves at various zones, starting
at the entry into the airport terminal, right up to the point
where they enter the aircraft. The security check at these
places is typically done by a 'different' security agency
to eliminate any collusion. The airport security, therefore,
employs an efficient system of 'layered defence'.
On similar lines, the airport security model (which has replaced
the traditional fortress model as the preferred model in emerging
unbounded environments) is robust, flexible and situational,
with multiple zones (or layers) of security based on role.
'Gates' to zones can employ multiple overlapping technologies
for identification, authentication and access control, depending
on the individual's role and the purpose of the zone. Even
if one zone is breached, the system remains safe. The result
is a series of fortresses within the fortress.
Point-to-point security model
Point-to-point 'dynamic trust' is the future model for
a highly networked world. It requires point-to-point authentication
and trust, from any user on the network to any other user.
It uses multiple overlapping or alternative technologies and
assumes that all parties to transactions must identify and
authenticate themselves and prove their right to participate.
This model corresponds most closely to a world heavily populated
with intelligent wireless devices.
All three models are responses to specific risks and eras.
The fortress worked in the mainframe era. The airport model
works for most enterprises now. The point-to-point model is
required for a world where high levels of transactions are
conducted wirelessly, anywhere, anytime.
Virtual Enterprise Networks
In the prevailing unbounded environment, organisations
have to work with an ever-changing list of 'external' people
and organisations. In these relationships there is a need
to share information with someone (or something) physically
located outside of the traditional enterprise security perimeter
guarded by the firewall. As boundaries between internal and
external environments are becoming irrelevant for enterprise
networks, it is giving rise to a new identity and access management
infrastructure for providing security services - the Virtual
Enterprise Network (VEN).
The VEN (based on the airport security model) is an alternative
to traditional security with demilitarized zones, providing
robust 'layered defence' so that even if someone got inside
one layer, there would be other layers to protect the organisation's
information resources. The upshot is a model that builds on
the existing infrastructure, but plans for a distributed perimeter.
The VEN defines four logical layers -
(a) The resource layer. This layer houses clients,
servers, applications and data, and is the innermost layer.
(b) The control layer. This is a new layer, not found
in traditional security models. In this layer authentication
services reside as do controls for security policies across
layers
(c) The perimeter layer. This layer contains firewalls,
proxies and gateways that enforce physical and/or virtual
boundaries between intranets and the Internet, or other security
domains.
(d) The extended perimeter. This is the outermost
layer. Here organisations engage technologies or services
to secure resources physically located outside the perimeter.
|
