Over the centuries, humans have built walls to keep intruders at bay. The Romans and Chinese were particularly adept at constructing extensive barricades: the Romans built Hadrian’s Wall in northern England and the Antonine Wall across what is now the Central Belt of Scotland, while the Chinese first started construction of would become the Great Wall of China in the 7th century BC.
However, the Antonine Wall and the Great Wall of China were designed to do more than just secure borders. These walls enabled the Romans and the Chinese to create access points to impose duties and taxes on goods and control the movement of people.
If we fast-forward from the great ancient civilisations of Rome and China to the 21st century, we find the concept of physical walls has been adapted to the modern datacentre. Instead of bricks and mortar, these facilities incorporate a complex setup of routing and switching gear, firewalls, intrusion detection and prevention systems and filtering and threat detection devices. These create virtual boundaries and form perimeters which are monitored and protected.
In another article I discuss the concept of the elastic perimeter, which acknowledges that inclusion is a key principle of the information age and that organisations and governments cannot exist in isolation.
Sharing information internally with staff and contractors, and externally with customers and suppliers, is integral to most organisations’ daily operations. However, sharing increases the risk to the confidentiality, integrity or availability of data. In essence, the virtual perimeter created to protect the organisation is now being constantly revisited and re-architected with new or modified gates opened along the virtual perimeter wall.
Securing data during its lifecycle and supporting the supply chain is ultimately the responsibility of the engaging organisation. However, as governments and organisations share valuable information with other parties in their supply chains, they often do not know how − or even if – this data is being protected by suppliers, or their suppliers in turn.
With suppliers now moving away from traditional outsourcing or offshoring models to cloud based services, classic site-based security controls are being challenged. In fact, some of these controls are being made redundant based on how and from where the cloud capability is being sourced. It is now a lot less clear which sites need to be secured or assessed according to an organisations’ security standards or requirements. This is further compounded when suppliers use third parties. Because these third parties attach their perimeter to the customer organisation, they effectively become ‘fourth parties’ over which the engaging organisation has no contractual control, but are part of the perimeter during the term of a contract.
This issue is being dealt with at an international level by the Jericho Forum, a leading IT security thought-leadership association dedicated to advancing secure business in a global open-network environment. The Jericho Forum has presented its ‘commandments’ for de-perimeterisation here, as well as high-level principles of Collaboration Oriented Architecture (COA). I believe an interpretation of these COA principles will hold true for the elastic perimeter and I present my adaptation of them below.
- Know your supply chain: all components and endpoints of a transaction chain must be known to the contracting parties. This ensures any loose or vulnerable points can be identified and remediated before the supply chain can be compromised.
- Trust the information supply chain: the contracting parties can agree on an appropriate level of confidence in all components of a transaction chain, including the environment in which these components operate. This ensures the integrity of the data can be maintained through the supply chain from the organisation to third parties and back.
- Defined controls and assurance parameters: agreements between contracting parties define their obligations and associated safeguards in respect to intellectual property obligations. The requirement of defined controls is to provide adequate security during the lifecycle of transactions, in line with the risk appetite of engaging organisations.
- Compliance: all parties involved in elastic perimeters agree to periodic inspections and security audits. These inspections and audits should be extended to fourth parties involved in the provision of services. This includes requirements for non-compliant parties to be appropriately sanctioned. To ensure compliance, focus on end-to-end assurance across the entirety of the data supply chain.
- Extending privacy obligations: privacy today is an important requirement that the contracting parties – including associated fourth parties − are required to adhere to. This is due to the paramount importance of customer and employee information to the engaging organisation and its suppliers.
Deperimeterisation as proposed by the Jericho Forum will be hard to implement at many organisations, because as humans we feel a sense of security with boundaries, however effective or ineffective they may be. However, the elastic perimeter enables organisations to meet this human need while meeting the changing demands of new IT models.
This article is brought to you by Enex TestLab, content directors for CSO Australia.