FEATURE

Information security without boundaries

With the rise of the Internet and high-speed mobile and wireless broadband, all that has changed. The increasing use of the Internet as a business channel, the growing adoption of cloud services, high levels of third-party access to internal systems, and widespread access from remote, often unprotected, locations using a variety of devices make it virtu-ally impossible to define the corporate network boundary, let alone secure it.

Organisations are faced with the challenge of balancing the significant productivity and efficiency benefits that fast, unhindered access to information and applications provides with the need to ensure that sensitive information does not fall into the wrong hands, or that critical applications are not exposed to malicious attack.

Unintended consequencesAs reports surrounding the latest Wikileaks revelations show, even the best-protected systems can be subject to data breaches if information security is not worked through right down to user access and device levels. The understand-able desire of the US military to ensure that relevant intelligence was available to all personnel who could benefit from it led to the unintended consequence of enabling a low-ranking intelligence ana-lyst not only to access the information but to copy and remove it at will.

The issues regarding the hosting of the Wikileaks website also raise other inter-esting questions around the legal respon-

sibility attached to hosting the content itself and the responsibility for providing security against further attack. In the area of cloud computing, for example, it’s still very much ‘buyer beware’ when it comes to responsibility for data secu-rity. Some vendors seem reluctant to put any special security measures in place, or to accept liability for any consequential loss in the event of a data breach. They argue that it is the standardisation of cloud-based services that contributes to their competitive pricing.

“Some vendors seem reluctant to put any special security measures in place, or to accept liability for any consequential loss in the event of a data breach”

However, the European Union’s digital agenda commissioner, Neelie Kroes, recently urged cloud computing providers to beef up the security they provide for their services, across national boundaries. She called for robust data protection to be well integrated into the design of cloud computing products and services from the very beginning of the business process.

Cloud computing users are also start-ing to push for improvements. For example, in October 2010, a group called the Open Data Center Alliance (ODCA) was formed – with members that include BMW, Deutsche Bank, JP Morgan Chase, Lockheed Martin and Shell, and the backing of Intel – with the aim of improving the security and interoperability of cloud computing.

As service providers and regulators grapple with these issues, what steps should organisations be taking to ensure that their corporate information is secure in a world without the protection of a corporate network boundary?

Where is the boundary?Several key trends in the way corporate information is accessed, stored and shared are combining to shift and, ultimately, erode the corporate network boundary.

First, networks are becoming more integrated, with organisations increasing-ly relying on a mix of public networks such as the Internet, cloud computing services, mobile phone networks and private networks to deliver corporate information services. This means less of the network is under the organisation’s control, and so makes it less trustworthy.

Second, growing numbers of third parties need to connect to organisations’ business systems, which may mean it is no longer possible to trust internal corporate networks and new controls may be needed at either the device or application level.

Third, employees, customers and other third parties want to use an ever-growing range of devices to access corporate sys-tems. The result of this may be that all devices need to be considered untrusted, and security may have to be delivered at the application level.

“Organisations are increasingly aware of the dangers posed by the disappearance of the network boundary, but many are unsure about how to deal with the issue”

The complexity of a typical corpo-rate network is illustrated in Figure 1, which shows the variety of services that

4Network Security February 2011

Steve Durbin, Information Security Forum

It used to be relatively easy to secure the corporate data boundary. Identifying where it lay was hardly an issue, as the distinction between internal and exter-nal network equipment was clear. Securing the boundary was largely a matter of installing point solutions such as firewalls and anti-virus protection along this boundary, and ensuring that data accessed outside this domain was at least encrypted and password-protected.

FEATURE

today’s corporate networks are required to deliver.

As the illustration highlights, organisa-tions often have multiple connections to third-party networks, third-party users operating inside the network bound-ary, and many remote connections from within the boundary to insecure net-works (including the Internet).

Organisations are increasingly aware of the dangers posed by the disappearance of the network boundary, but many are unsure about how to deal with the issue. Furthermore, the complexity of exist-ing networks makes them very costly to change. To date, the response has tended to be to deploy point solutions – such as content filtering, spam filtering and malware protection – on current network architecture to deliver new functionality, rather than to re-evaluate and amend the overall network security architecture.

Given the uncertainty surrounding who is responsible for what when it comes to information security – whether we’re talking about third-party suppliers, cloud computing or the use of personal devices for work – the best course of action would appear to be for organisa-tions to assume responsibility for their own information security. They need to ensure they are doing all they can to protect their data and, ultimately, their organisation’s reputation through an

architectural response to the challenge of a disappearing network boundary.

An architectural responseThere is a range of architectural options that can be used to enhance the pro-

tection of corporate information in response to the disappearing network boundary:• Establish trusted zones at the network

level and around devices, where the security of corporate information can be assured using firewalls and encrypt-ed connections.

• Deploy network-level protection, including restricting access to the net-work using Network Access Control (NAC), identity-aware networks and mutual authentication.

• Implement device-level protection, including the creation of trusted back-end systems, making every user device self-protecting and deploying virtual user devices.

• Apply application-level protection, including the adoption of a web-based or terminal-based approach and the deployment of virtual applications.

The following sections will explain each of these options in more detail.

Establish trusted zonesZones can be used to isolate objects – networks, devices or applications – within defined perimeters. Trusted zones

February 2011 Network Security5

Figure 1: The types of services typically provided by today’s corporate networks. Source: ‘Architectural Responses to the Disappearing Network Boundary’. © Information Security Forum.

Figure 2: The creation of trusted zones. Source: ‘Architectural Responses to the Disappearing Network Boundary’. © Information Security Forum.

FEATURE

rely on perimeter controls to protect the systems inside them and only allow trusted devices to attach inside the zone, as illustrated in Figure 2. In this way, the security of information within the trusted zone can be assured.

Trusted network zones can be used to divide the corporate network into a series of smaller networks in which different levels of protection can be applied. They are often used for high-value or critical services, and typically contain back-end systems such as servers, mainframes and manufacturing control systems.

It is also possible to build a trusted zone around an individual network device such as a mainframe or server, and around user devices such as laptops, workstations and smart phones. This approach works well where the devices are standard managed corporate devices, but is not so effective for the wide range of other devices that organisations now often need to support (for example, home computers, smart-phones or contractors’ laptops).

“Organisations need to adopt a different stance to allow unmanaged devices to access corporate information and applications securely. Moving the protection of the information away from the physical device to a trusted application offers a solution”

Consequently, organisations need to adopt a different stance to allow unman-aged devices to access corporate informa-

tion and applications securely. Moving the protection of the information away from the physical device to a trusted application offers a solution.

A trusted application is one that has been designed and built to operate securely. It can only continue to be con-sidered trusted if it can be proved that the application running is the one the organisation has deployed. This can be done, for example, by running it from a central trusted source, such as a web server or a terminal session, or locally on the device, and verifying the code installed before the application is per-mitted to run.

Once a system of trusted zones is established, organisations need to implement controls to protect the infor-mation within them using firewalls, which restrict the network ports and protocols that can be used to send data to and from the zone. In addition, the information being transmitted between two trusted zones must be encrypted. Typically this is achieved by encrypt-ing the network traffic either by using a secured protocol or a secured tunnel (such as a virtual private network).

Deploy network-level protectionWhile the deployment of trusted zones may be enough to meet the security requirements of some organisations, others will wish to supplement these zones with other architectural options. The network is an obvious place to start when identifying these architec-

tural options, as its structure plays a major role in dictating how systems are accessed and protected.

As the corporate network will typi-cally be a mixture of trusted zones and un-trusted zones, such as the Internet and third-party networks, controlling access to the network is one way to protect it. Network Access Control (NAC) uses specialist network devices (hardware- or software-based) to con-trol access to trusted zones. The devic-es may be individual devices deployed at the perimeter of a zone, where they would typically control access from a single point (such as a wireless access point), or specialist network switches deployed throughout the corporate network that restrict access at each physical network point.

“One of the benefits of an identity-aware network is that only specific systems are exposed to the connecting user”

NAC assesses connecting devices to see if they can be trusted and allows only trusted devices to connect to trusted network zones. It then restricts access to different parts of the network depending on whether or not a particu-lar device is trusted.

Another way to restrict access to certain zones is to use identity-aware networks. These restrict access between network zones using specialised iden-tity-aware firewalls, which use tables of authorised users and devices for identification and authentication. One of the benefits of an identity-aware network is that only specific systems are exposed to the connecting user. For example, a particular user might be able to gain access to a server protected by a firewall in one zone, but be una-ble to gain access to servers behind a second firewall or even know that they exist. This means users, and therefore malicious third parties, are prevented from identifying possible systems to attack.

An additional level of protection can be gained by requiring mutual authentication between systems. Mutual authentication ensures that only known,

6Network Security February 2011

Figure 3: IPSec mutual authentication process. Source: ‘Architectural Responses to the Disappearing Network Boundary’. © Information Security Forum.

FEATURE

authorised system components (typically devices) are permitted to communicate with each other. It requires the com-municating components to authenticate with each other before data can be sent between them, but does not check to see if they are trusted.

Typically, mutual authentication uses certificates installed on the user’s device. When a device tries to connect to another device (such as a server, a router or a firewall), it presents its certificate for inspection. If the certificate is valid, a secure tunnel is created and data can be transmitted between the two devices, as shown in Figure 3.

Implement device-level protectionNetwork-level options focus on restrict-ing access to both trusted and untrusted network zones, based on authenticating the components attempting to connect to them. Device-level options represent a rather different approach: they mostly disregard the network and focus instead on the concept of trusted devices. In this approach, most of the controls are placed around the connecting devices and protect the connections they use. This approach creates a series of trusted devices each located in its own trusted network zone.

Device-level protection is particularly applicable when user devices are con-necting directly to a hostile network – for example, when a remote user’s corpo-rate laptop is connected via the Internet to access the corporate network. As the network boundary erodes, and the internal network becomes more hostile, this device-level protection will need to expand to cover all user devices, includ-ing workstations and smartphones.

The device-level approach – some-times referred to as ‘self protection’ – has not yet been widely adopted for servers and other back-end systems. Organisations have tended to locate these systems in trusted zones (such as datacentres) and rely on perimeter controls to protect them. However, many organisations are now adopt-ing or planning for self protection for back-end systems.

A self-protecting user device is a trusted device that is able to protect itself from network attacks, for example by deploying and maintaining malware protection software, installing and run-ning personal firewalls and patching its operating systems and the applications running on it. It restricts the transfer of information to and from trusted business components, for example by imposing firewall rules or requiring a VPN con-nection to a corporate trusted network.

“Deploying virtual devices allows organisations to deliver a locked-down standard operating environment that can be deployed on an untrusted, non-corporate system”

Another device-level protection option is to deploy virtual user devices (or virtual machines), which are isolated environments consisting of an operating system that supports one or more busi-ness applications. A single user device can run multiple virtual user devices that are logically separated from each other and from the host device.

Deploying virtual devices allows organisations to deliver a locked-down standard operating environment that can be deployed on an untrusted, non-corporate system. They also typically

use standard builds, making them easy to manage and maintain remotely (for example, for patching). To become a trusted device, a virtual user device still needs to be made self protecting, but can be deployed without the need to pay much attention to the ownership or configuration status of host user devices. Organisations can also choose to configure back-end systems – servers, mainframes or manufacturing control systems, for example – as trusted devices within their own trusted network zones, as illustrated in Figure 4.

The required perimeter controls, previously delivered by the network, are built into the back-end system, allowing it to operate without any fur-ther external protection. This enables organisations to deploy trusted back-end systems in untrusted network zones or even directly into a hostile network such as the Internet.

Typically, the controls applied to make a back-end system trusted include a locked-down operating system, virus protection software, a built-in firewall and supplementary controls such as application firewalls or an intrusion pre-vention system. These controls are often implemented as part of standard builds for back-end systems. Once controls are in place, connections to the back-end systems will be restricted. However, the

February 2011 Network Security7

Figure 4: The deployment of trusted back-end systems. Source: ‘Architectural Responses to the Disappearing Network Boundary’. © Information Security Forum.

FEATURE

traffic associated with back-end systems needs to be protected using either secured protocols or some form of tunnel.

Apply application-level protectionThe device-level approach works well for standard, managed corporate devices, but may not be so effective for the wide range of other devices that organisations need to support – including home com-puters, mobile devices and third-party owned laptops. As a result, organisations may need to adopt a different approach to allow a variety of unmanaged devices to access corporate information and applications securely.

One option for these types of device is to move the trust zone from the devices to applications, either by using a thin cli-ent – such as a browser or terminal client – or a virtual application.

A thin client enables users to access applications with little more than a generic client deployed on their devices. Processing of information takes place on the back-end systems, no data is stored on the device, and the connec-tion between the client and the back-end systems can be configured to only use a secured protocol. However, users have to be online to access applications using a thin client.

The deployment of virtual applications enables users to access fully functional applications on any device through the use of self-contained trusted applica-tions. Unlike thin client-based approach-es, virtual applications can be operated offline, so increasing the range of services for which they can be used.

This approach enables organisations to deliver a single trusted application that can be deployed on an untrusted device, such as a home computer or a contractor’s laptop. The virtual applica-tion can potentially be so small that it can readily be downloaded on demand. The approach also has benefits for organisations with older systems that were not designed to operate in open unprotected networks. A typical exam-ple is a manufacturing control system developed 20 years ago, but which is still central to an organisation’s opera-

tion. These systems were often designed to be managed and maintained using insecure protocols such as telnet.

Making a direct telnet connection across the Internet to the system could potentially expose the system to attack, because often the systems do not sup-port other network security techniques such as VPNs. One way around this is to require an engineer to create a secure session to a terminal server and use that terminal session to make the telnet con-nection to the manufacturing plant. The plain text traffic associated with a telnet connection could then only be inter-cepted between the terminal session and the manufacturing plant. All communi-cations between the terminal server and the engineer’s terminal session would be protected using secured protocols.

Looking forwardThe corporate network boundary is disappearing with the increasing use of the Internet as a business channel, the growing adoption of cloud services, the continued need for third-party access to internal systems, and the rise in use of mobile devices to access corporate information. It is becoming increasingly difficult to guarantee that a network or device is trusted.

Organisations will need to continu-ally modify their approach to protecting information in the future. As the net-work boundary continues to erode, the points where organisations trust business components will also change.

“In the short term, organisations should create a new architecture based on trust, with a security model that does not rely on the network for protection”

The level of trust – the point at which information is protected – is slowly moving through each architec-tural option, from the network level towards the information itself. As the erosion of the network boundary con-tinues, it becomes harder for organi-sations to deliver a trusted network. This means at some point, organisa-tions will need to move on from using

trusted network zones to greater use of trusted devices.

Over time it will become harder to deliver trusted devices, because of the dra-matic increase in the number and variety of devices that people want to use – many of which will not be corporately owned or managed, or will be in the cloud. This will mean a move towards securing the application level, and the introduction of more trusted applications (typically using virtual or browser-based applications).

Ultimately, trusted applications will not be enough either, because they only protect information while it is under their control – potentially exposing information when it is transferred to another application. Future solutions are likely to impose controls to pro-tect information directly (for example, through encryption and access control), effectively creating trusted information. Typically this process will require some form of wrapper around the informa-tion, enabled by the next generation of digital rights management software.

In the short term, organisations should create a new architecture based on trust, with a security model that does not rely on the network for pro-tection. They should then monitor the changes in both network capabilities and security solutions to determine if further action is required.

In the longer term, organisations should plan to protect critical and sensitive infor-mation itself, wherever it may be.

About the authorSteve Durbin is global vice-president of the Information Security Forum (ISF). He has served as an executive on the boards of public companies in the UK and Asia in both the technology consul-tancy services and software applications development sectors. He was latterly Ernst & Young’s sales and marketing direc-tor. Durbin has considerable experience working in the technology and telecoms markets and was previously senior vice-president at Gartner. He has also been involved with mergers and acquisitions of fast-growth companies across Europe and the US, and has advised a number of global technology companies on IPOs both on NASDAQ and NYSE.

8Network Security February 2011