Auscert 2013: Perimeter protection has failed, encryption needs its day in the sun

In a security industry that hasn't changed much in 20 years, SafeNet's Andrew Younger says, it's strange that nothing much has changed in that time – except that we keep failing.

“Eighty percent of the security budget goes on the perimeter,” he said, “We're still trying to control what goes in and out of the network. Is it working? I don't think it is.”

He pointed to a growing realisation that in many breaches, the perimeter security hasn't been breached: the problem was not an attacker breaking a firewall, but a user loading up sensitive files on a personal machine, someone breaking BYOD rules, and so on.

And that's not going to change, Younger says, because data has no value unless it's used – and use means sharing in some way, within a company, between offices, with business partners or with customers.

“Data was born to be free or at least shared. Information is the currency and needs to be shared. Without it, business doesn't function,” he said.

However, in SafeNet's security survey, 33 percent of companies said their perimeters had been breached, 20 percent didn't know whether they had or not; 38 percent said they’d had unauthorised access to the network, 65 percent said there would likely be a breach in the next three years; 59 percent that if their perimeter is breached, their data would not be safe, and 20 percent wouldn't trust their own company with their data.

Current security practises, in other words, aren't working all that well, he said: “Think about it the opposite way: assume that the perimeter will be breached. There is no perimeter on the network any more. Protect the data itself, the information that needs to be shared. Secure that.

“If you lost encrypted data but the keys that wrapped it up are secure – did you lose anything at all. It's all about how secure are the keys.”

In agreement with CSC's Peter Nikitser speaking yesterday, Younger said even encryption of a database isn't sufficient since the admin will still have access – so tokenisation is an important part of making sure that anywhere data can be stolen, it won't have any value.

The rollout of cloud computing, Younger said, is driving increasing interest in encryption, since “as soon as C-level executives can't see their data any more, they want to know about encryption again.”