Comments on: Deperimeterization without endpoint control? http://www.securitybalance.com/2009/01/deperimeterization-without-endpoint-control/ trying to bring balance to the Force Wed, 03 Mar 2010 21:43:10 +0000 http://wordpress.org/?v=abc hourly 1 By: Rob Lewis http://www.securitybalance.com/2009/01/deperimeterization-without-endpoint-control/comment-page-1/#comment-175 Rob Lewis Fri, 06 Feb 2009 05:12:14 +0000 http://www.securitybalance.com/?p=334#comment-175 Hi Augusto, The use of endpoint devices as a proxy for end users is a poor strategy, as you say. We are using a different model for governing business data flows. Not only does it enable de-perimeterization, it impacts on PCI, privacy etc. There is something I would like to discuss with you and I am in Toronto first week of March. Can you contact me? Thanks. Hi Augusto,

The use of endpoint devices as a proxy for end users is a poor strategy, as you say.

We are using a different model for governing business data flows. Not only does it enable de-perimeterization, it impacts on PCI, privacy etc.

There is something I would like to discuss with you and I am in Toronto first week of March. Can you contact me? Thanks.

]]> By: Andrew Yeomans http://www.securitybalance.com/2009/01/deperimeterization-without-endpoint-control/comment-page-1/#comment-172 Andrew Yeomans Wed, 21 Jan 2009 11:23:25 +0000 http://www.securitybalance.com/?p=334#comment-172 <a href="https://www.opengroup.org/jericho/commandments_v1.2.pdf" rel="nofollow">Jericho Forum commandment 6</a> states "All people, processes, technology must have declared and transparent levels of trust for any transaction to take place" and qualifies this "Trust level may vary by location, transaction type, user role and transactional risk". So yes, access control still matters. But it should additionally include the location, type of device, assessment of device, if that matters for your transaction. Securing very sensitive data is always going to be hard. But in practice, much data doesn't need that level of protection. In many cases it only needs protecting from unauthorised users, a simpler proposition. Jericho Forum commandment 6 states “All people, processes, technology must have declared and transparent levels of trust for any transaction to take place” and qualifies this “Trust level may vary by location, transaction type, user role and transactional risk”.

So yes, access control still matters. But it should additionally include the location, type of device, assessment of device, if that matters for your transaction.

Securing very sensitive data is always going to be hard. But in practice, much data doesn’t need that level of protection. In many cases it only needs protecting from unauthorised users, a simpler proposition.

]]> By: Fernando http://www.securitybalance.com/2009/01/deperimeterization-without-endpoint-control/comment-page-1/#comment-171 Fernando Tue, 20 Jan 2009 01:39:08 +0000 http://www.securitybalance.com/?p=334#comment-171 Hi, To what extent do you see deperimetrization not being a tendency towards internal security of critical assets with access to it limited by degree of control over the platform? TPM-enabled device -> full access Internal user on non-TPM device -> access via Citrix Others -> web-based front end (if at all) But I clearly agree with the warning that consumerization + deperimetrization = major headaches... Hi,
To what extent do you see deperimetrization not being a tendency towards internal security of critical assets with access to it limited by degree of control over the platform?
TPM-enabled device -> full access
Internal user on non-TPM device -> access via Citrix
Others -> web-based front end (if at all)

But I clearly agree with the warning that consumerization + deperimetrization = major headaches…

]]>