Perimeter Security – A Far Flung Fantasy?
Consider the potential thought process of the IT professional who is challenged with managing security for his or her organization’s computer infrastructure: “What did those 30,000 systems cost anyway? How much more will it cost for software licensing, tech support and hardware upgrades every couple of years? And, to add insult to injury, apparently one user’s long lost uncle in Nigeria sent some XP antivirus for only $59.99, which has now infected my entire network. Who needs this? Why can’t we just get out of the computer business and save a few bucks along with my sanity? If our employees choose to chat away on Skype all day and let the Twitter world know the latest sandwich available at Joe’s Deli for lunch, then let them do it on their own computer hardware! We could save a lot of money, get rid of the real security threat, and then enjoy the latest episode of Dr. Who with our new found free time…”
Is the idea of taking an organization’s environment mobile such a silly thought? A far flung fantasy? Perhaps surprisingly, not as much as one would think. Certainly, the thought process above is a bit exaggerated. People don’t really watch Dr. Who. But – organizations are considering this transition. Recently, Accuvant was approached by a client with this very type of request. We were asked what it means to lose the workstation, to leave workers to their own devices, to place the users on the outside of the kingdom. What are the security risks? What are the security savings?
What is more profound is the frequency in which these types of requests are beginning to materialize. Embattled with their perceived state of security, the ever-increasing cost of system management, an inability to achieve a reasonable level of control and grandeur dreams of slashing overhead costs and reducing risk levels, it is easy to understand why many organizations would consider throwing up a white flag and letting the castle gates down. Corporate America, awash with data centers that are due for a refresh and upgrade in the near term, are tantalized at the prospect of redefining the definition of "security at the edge".
So, what’s an executive tasked with the protection of information supposed to do? Retreat to the inner core of the network and build a wall around the prized corporate jewels? Legions of employees, even those inside the corporate office, would join the ranks of roaming mobile warriors with remote authentication tunneled through controlled entries, unprotected by the prized perimeter security strategy and treated like the savages of the unmonitored Internet to which they are relegated. All this, as a result of simply wanting to achieve lower operating costs and increased security control; greater visibility and scalability that can be achieved with a minimal infliction of pain.
How far can this idea go? Do we even need a network? Wasn’t ubiquitous computing the solution? Clearly, some of our clients believe so. They are dissolving the perimeter, packing up, sending user applications to the cloud, and moving their valuables to the collocation data centers. They are going to divest themselves of the end point as an asset and replace it with a comprehensive NAC strategy that enforces corporate standards and policy.
On top of that, is it possible to have our cake and eat it too, i.e., a secure work environment layered on top of an uncontrolled desktop environment? Virtualization presents such an opportunity. No longer does a physical machine have to map directly to the job. Although the segregation of a network into distinct zones defined by the required security controls and sensitivity levels is nothing new, access to basic functions and services such as web browsing, email and standard applications can be provided on a low-risk network while activity critical to those business functions that handle critical data are contained on a highly secured controlled network. The virtual machine is defined as a secure environment sharing data across its own encrypted private network isolated from the system on which it sits.
Of course, this leaves us with a system that must be configured as such. Didn’t we just try to get away from this problem? So how do we create a dual environment without managing the system it sits on? We take classic security controls, a preconfigured work environment with the applications and data needed, apply policies, monitoring and auditing as needed. Then, you lock it all down, encrypt the whole mess, toss it on a portable drive, and make it boot. Some call it a “system on a stick”, where access is given to those in the need in a form that goes everywhere. Controlled centrally, the physical device is no longer a risk or cost for the organization. To the controlled environment, it always looks the same regardless of where in the world it travels. Loss and theft of a drive becomes irrelevant and relegated to a cost of the device rather than a loss of critical data with native encryption. Even business partners who need access to certain forms of data can be issued devices with their own sets of policies and controls. The need to allow data to leave the protected castle becomes a thing of the past, bringing those with the need inside rather than let that which is needed out.
As I mentioned previously, this concept is nothing new. Centralized server environments with virtualized desktops already exist and serve their function quite well. There is, of course, the cost of centralized hardware and pipes large enough to handle LA traffic during rush hour. Offloading the operating system to a USB drive allows for the use of cheap common hardware for computing power and only the bandwidth needed to serve data located centrally.
So USB drives with isolated encrypted virtualized operating systems and critical data centrally stored and controlled. Does it work? Does it stink? Please do tell. What am I missing? Any war stories to share? We would love to hear.