Deperimeterization without endpoint control?
Do you know what that is? That’s a complete disaster!
I’ve got the tip for this very interesting Burton Group discussion from Anton Chuvakin’s post (who also has an overflowing ”2blog” queue 
.
There is a way to summarize that discussion. The key issue on deperimeterization is the control over the endpoint. If you are pushing the defenses to the endpoint, you better control it. So, if you are allowing endpoints that you don’t control to access your data, it’s not your data anymore.
Think for a moment, how a data-centric security approach would work? It would be something like agents that run on every endpoint or that go together with data, encapsulating it. Either way, it will run on the endpoint. If the user is controlling the endpoint ring-0 by having admin rights on the box, he will be able to modify/trick the security agent into doing things with the data that it shouldn’t be supposed to do. Now, quick answer, how can you avoid users from having admin rights over their own devices? You can’t!
Imagine that you have printed some very sensitive document in a very, very bleeding edge technology paper. It can’t be copied by any photocopy machine, and it will destroy the data on it if someone tries to put it through one of those machines. If you allow someone to get that paper to anywhere where you can’t see them, they will copy it like the XII century monks used to do it!
So, what can be done to avoid it? First, the user can NEVER control the device. How can you avoid that if he owns it? Well, I don’t like it, but the only alternative is something like a very broad adoption of the TPM. However, I doubt that those devices will become popular, and if that happens also will be the ways to hack it.
The other alternative is not that cool, but I believe it’s closer to reality. Things will still be like what they are today. I mean, we’ll still have to put some restrictions over which devices can be used, we’ll still have to have some control over the physical and network environments, will still have to deal will ACCESS CONTROL. That’s not as sexy as virtualization, deperimeterization and any other ation, but it’s the root of information security. We’ll still have to choose carefully who can access the information and under which circunstances it will happen.
Did you really think that, with all these new variables, security would be that simple?
Hi,
To what extent do you see deperimetrization not being a tendency towards internal security of critical assets with access to it limited by degree of control over the platform?
TPM-enabled device -> full access
Internal user on non-TPM device -> access via Citrix
Others -> web-based front end (if at all)
But I clearly agree with the warning that consumerization + deperimetrization = major headaches…
January 19, 2009 @ 8:39 pm
Jericho Forum commandment 6 states “All people, processes, technology must have declared and transparent levels of trust for any transaction to take place” and qualifies this “Trust level may vary by location, transaction type, user role and transactional risk”.
So yes, access control still matters. But it should additionally include the location, type of device, assessment of device, if that matters for your transaction.
Securing very sensitive data is always going to be hard. But in practice, much data doesn’t need that level of protection. In many cases it only needs protecting from unauthorised users, a simpler proposition.
January 21, 2009 @ 6:23 am
Hi Augusto,
The use of endpoint devices as a proxy for end users is a poor strategy, as you say.
We are using a different model for governing business data flows. Not only does it enable de-perimeterization, it impacts on PCI, privacy etc.
There is something I would like to discuss with you and I am in Toronto first week of March. Can you contact me? Thanks.
February 6, 2009 @ 12:12 am