Rise of the elastic perimeter

Over the centuries, humans have built walls to keep intruders at bay. The Romans and Chinese were particularly adept at constructing extensive barricades: the Romans built Hadrian’s Wall in northern England and the Antonine Wall across what is now the Central Belt of Scotland, while the Chinese first started construction of would become the Great Wall of China in the 7th century BC. 

However, the Antonine Wall and the Great Wall of China were designed to do more than just secure borders. These walls enabled the Romans and the Chinese to create access points to impose duties and taxes on goods and control the movement of people.  

If we fast-forward from the great ancient civilisations of Rome and China to the 21st century, we find the concept of physical walls has been adapted to the modern datacentre. Instead of bricks and mortar, these facilities incorporate a complex setup of routing and switching gear, firewalls, intrusion detection and prevention systems and filtering and threat detection devices. These create virtual boundaries and form perimeters which are monitored and protected.

In another article I discuss the concept of the elastic perimeter, which acknowledges that inclusion is a key principle of the information age and that organisations and governments cannot exist in isolation.

Sharing information internally with staff and contractors, and externally with customers and suppliers, is integral to most organisations’ daily operations. However, sharing increases the risk to the confidentiality, integrity or availability of data. In essence, the virtual perimeter created to protect the organisation is now being constantly revisited and re-architected with new or modified gates opened along the virtual perimeter wall.

Securing data during its lifecycle and supporting the supply chain is ultimately the responsibility of the engaging organisation. However, as governments and organisations share valuable information with other parties in their supply chains, they often do not know how − or even if – this data is being protected by suppliers, or their suppliers in turn.

With suppliers now moving away from traditional outsourcing or offshoring models to cloud based services, classic site-based security controls are being challenged. In fact, some of these controls are being made redundant based on how and from where the cloud capability is being sourced. It is now a lot less clear which sites need to be secured or assessed according to an organisations’ security standards or requirements. This is further compounded when suppliers use third parties. Because these third parties attach their perimeter to the customer organisation, they effectively become ‘fourth parties’ over which the engaging organisation has no contractual control, but are part of the perimeter during the term of a contract.

This issue is being dealt with at an international level by the Jericho Forum, a leading IT security thought-leadership association dedicated to advancing secure business in a global open-network environment. The Jericho Forum has presented its ‘commandments’ for de-perimeterisation here, as well as high-level principles of Collaboration Oriented Architecture (COA). I believe an interpretation of these COA principles will hold true for the elastic perimeter and I present my adaptation of them below.

  • Know your supply chain: all components and endpoints of a transaction chain must be known to the contracting parties. This ensures any loose or vulnerable points can be identified and remediated before the supply chain can be compromised.
  • Trust the information supply chain: the contracting parties can agree on an appropriate level of confidence in all components of a transaction chain, including the environment in which these components operate. This ensures the integrity of the data can be maintained through the supply chain from the organisation to third parties and back.
  • Defined controls and assurance parameters: agreements between contracting parties define their obligations and associated safeguards in respect to intellectual property obligations. The requirement of defined controls is to provide adequate security during the lifecycle of transactions, in line with the risk appetite of engaging organisations.
  • Compliance: all parties involved in elastic perimeters agree to periodic inspections and security audits. These inspections and audits should be extended to fourth parties involved in the provision of services. This includes requirements for non-compliant parties to be appropriately sanctioned. To ensure compliance, focus on end-to-end assurance across the entirety of the data supply chain.
  • Extending privacy obligations: privacy today is an important requirement that the contracting parties – including associated fourth parties − are required to adhere to. This is due to the paramount importance of customer and employee information to the engaging organisation and its suppliers.

Deperimeterisation as proposed by the Jericho Forum will be hard to implement at many organisations, because as humans we feel a sense of security with boundaries, however effective or ineffective they may be. However, the elastic perimeter enables organisations to meet this human need while meeting the changing demands of new IT models.


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags securing dataEnex TestLabDeperimeterisationmodern datacentreelastic perimeterIT Securityprivacy obligationsprivacyCSO Australia

More about CSOEnex TestLab

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts