Deperimeterisation: A Practical Guide for Enterprises

July 16th, 2009 · 1 Comment

24 information security professionals attended a workshop to develop a practical approach to deperimiterisation of enterprise IT. It proved to be a highly productive meeting with a lot of experience in the room. The full report and recommendations will be available to Forum members very soon. But, in the mean time here are some of the key points from the event.

Don’t segment your network unless it solves a specific problem
Data Protection

Personal data is what you define as personal data

Take account of multiple jurisdictions

you as the customer

your supplier

where the data is entered, stored and processed

There is no easy answer to avoiding vendor lock-in

Anything different from their standard offering will cost

Be wary of doing the design work – it will drive up the cost and will provide a get-out for the supplier in the event of service problems

Act together

There is no generic “Security as a Service”, though there are several “clubs”

Identrus (banking)

SAFE (pharmaceuticals)

TSCP – Transglobal Secure Collaboration Program (military/aerospace)

One useful definition of a user is “someone who requires logical or physical access”

Manage user attributes in the HR database and push to Active Directory

“Thou shalt authenticate against Active Directory”

Firewalls are more about protecting Quality of Service than Security

Tools to consider (not exhaustive)

Federated identity – Ping ID (http://www.pingidentity.com/)

ID-based Firewall – Applied Identity (http://www.appliedidentity.com/)

ID-based Firewall – Palo Alto (http://www.paloaltonetworks.com/)

Use personal firewalls (but not Microsoft’s out of the box) when managing/allowing Web Access from outside the corporate environment.

Keep your security rules simple

Internet access to corporate resources, done properly, can be more secure

Use a risk-based approach to managing access

It is transparent to the user

Most criteria can be implemented without bespoke codingto applications

If you enable/supply guest access to the (raw) Internet, make sure guests have to read and acknowledge an acceptable use policy

Make sure your controls include “killing” the Active Directory entry quickly for leavers and lost, stolen or compromised devices.

Tags: Applications · Governance & Standards · Infrastructure · Programme & Project Management · Security & Business Continuity · Technologies

1 response so far ↓

1 Adrius42 // Jul 27, 2009 at 3:51 pm

The makings of one of my biggest AHA’s this year was nearly pointed out in this “report” but some may have missed it. So I will try and make it more explicit!

The future of Identity and Access Management is Claims based! Simple I know but one more step is crucial, Claims are Attribute based and not Role or ACL based.

So the new discipline should be called Identity, Claims and Access Management. A lot of work will need to go into redefining our Enterprise Centric belief that Identity is UserID and Authentication simply means checking if they can remember their password.

Here is to the future of Claims based Access!

Find the Identity 2.0 Video and watch it!!

As an aside, despite the fact that Kim snared Dick….

I am not sure that I can fully buy into the belief that Active Directory is the sole means of authenticating claims, in fact I would go as far as to say that within the next 2 years most claims authentication will be occurring outside the realms of AD. (Heresy, possibly but I suspect that Microsoft will already be providing an Identity Provider Service in the clouds by then and so Active Directory becomes an ancient Enterprise/Data Centre technology. (Do you remember when companies had their own “Computer Rooms” grandad?)

Read my last Blog on the subject….

Welcome to Verbatim (Public Area)

View by Function

Subscribe to RSS Feed