Perimeter defence is not enough

By | February 19, 2006

Up until now, the primary basis for almost all security strategies has been the moat and castle model, whereby a strong perimeter is established that divides the network into a trusted interior and untrusted exterior. It’s a model that has served well in the past, but due to the emergence of two new market trends, it now represents a significant liability.

Trend One: Rising value inside

Customer and personnel data have been universally regarded as a basic business tools, with little or no intrinsic value of their own.

The growth of a substantial black market for personal information changed all this. Identity theft is the fastest growing crime worldwide, and at the time of writing, the value of personal information ranges from $4 to $100 a record, depending on the specific content.

Like it or not, one of the primary tools of business – personal data, is now valuable, and is being targeted by modern cyber-criminals.

Trend Two: Declining effectiveness of the perimeter

The moat and castle model worked well when the perimeter could be defined. But, the mobile nature of today’s workforce, the increased use of outsourcing and the ongoing interconnection between enterprises has made the location of the perimeter difficult to establish and enforce.

And, technology isn’t helping, with wireless LANS and mobile connections further extending the perimeter, beyond the control of the IT organization.

Put these two trends together and they result in significant new risks for today’s organizations.

The rising value of personal data readily accessible throughout the organization, combined with the declining effectiveness of the perimeter, has created the significant potential for a data breach. And risk turns to liability when you look at the potential effect of a data breach.

A data breach has the potential of contravening one of the many data protection acts. These are all very similar, and there are many of them. One of the first was the EU Data Protection Directive (1995), which has since been codified into law by the various member countries. Other countries quickly followed suite including Canada’s Personal Information Protection and Electronic Documents Act (2004), and Japan’s Personal Information Protection Law (2005).

Contravention can result in fines and/or increased audit costs.

Could you survive a data breach?

For most organizations, the fines and penalties imposed by Governments are not an issue of paramount concern. Industries with high-value personal data, such as Financial Services, Healthcare and Government, have stringent laws and penalties in place. But, in reality, the financial impact of these fines and penalties are minor, and may be considered by some as a “cost of doing business”.

The real liability is the risk to the survival of the business itself.

Identity theft primarily affects the consumer. And consumers blame the organization who “allowed” the breach to happen, rather than the actual data thief. With potentially devastating effects.

A recent study surveyed 10,000 consumers and identified 1,100 individuals who had been the victims of a data breach. When asked about their reaction to the incident fully 20% indicated that they have severed all ties with the firm involved, with an additional 40% saying that they were considering doing the same.

Could your organization survive a loss of 20% to 60% of your customers?

This is the REAL liability associated with a data breach.

The market sets the value of data – there is nothing management can do here.

The perimeter is in trouble and IT managers must look at securing inside their perimeter in order to improve their overall security profile if they are to reduce their potential liability.

Security from the inside out

The nature of a network inside the perimeter is significantly different than on the “outside”. Perimeter-based security technologies are ineffective here. The following table illustrates how these environments differ, and can provide insight to design an appropriate security strategy.

Inside vs. outside security

It should now be clear from reviewing this comparison that securing these two environments requires approaching the problem architecturally. This is a network structure problem which will require a network structure solution.


A good place to start is to reduce the scale of the problem by segmenting the network and implementing security zones. This can be done through hardware (i.e. VLAN’s or subnets), which can be difficult to implement and rather inflexible, or through software using some form of security certificate association, which has the added benefit of incorporating encryption policies.

Transparent security

Given the diverse application environment inside the perimeter, any security solution must be application agnostic – transparent to the applications and users. This challenge becomes more pressing the larger your network becomes. Integrating applications becomes geometrically more difficult and complex to administer.


These challenges, however, are dwarfed by the complexities tied to managing this environment. Specifically, to manage and enforce security relationships within each zone without substantially increasing IT staff.

The answer may lie back in the use of security zones. Technology now exists that not only allows dynamic network segmentation but also provides a management layer that integrates the management of large numbers of users and applications at the same time.

This is a challenging issue for network and security professionals around the world, but it is not insurmountable. The technology is available and taking the time to design a security architecture that protects all data traffic – inside or out – will have an immediate payoff in terms of reduced liability and increased longevity for your organization.

Apani Networks ( is exhibiting at Infosecurity Europe 2006

Leave a Reply