Digital transformation has turned the way we create and use information security upside down. The traditional “fortress” model of a security perimeter is thus no longer viable and the way security is managed has to adapt to these new uses. A new “airport” model based on data and handling sensitivity should be able to respond to this challenge. The information system can open up to the outside for business needs whilst protecting the data at the right level and retaining control over activity via efficient means of detection and reaction in case of an attack to the system.
The “fortress” security model has reached its limits
In the past, information systems were built in such a way as to be isolated from the outside via a wall of security equipment: firewalls, reverse proxy, DMZ, etc. They were based on just one trust zone, inside the perimeter, allowing easy access to the organisation’s resources.To use an analogy, the traditional model is based on a fortress: surrounded by reinforced walls, only one point of entry that is guarded, and once inside people circulate freely.
This model can no longer support the developments in attacks on information systems, ever better directed and precise. They know how to aim directly at the heart of the information system by intruding directly into staff workstations without being blocked by a wall, just like Trojan horse of ancient Greece.
The fortress model also does not allow for making the most of digital transformation. This has brought about fundamental changes in business’ information system conception: they’ve gone from a closed model to opening up to the outside. Certain data is made available directly to clients, suppliers and partners via the Internet and mobile applications. From an IT point of view, outsourcing is a daily reality, driven further today by the move towards the Cloud. From the user’s point of view, staff can use more and more personal devices: BYOD, personal webmail and personal applications on smartphones are welcome within the working environment. All these undeniable developments have rendered the notion of perimeter obsolete.
Move over for a new model: the airport
The evolution of the security model has therefore become necessary. To respond to these new challenges, the most suitable model today is the airport model. An airport is made up of public reception areas where clients can be informed or make purchases. There are also other highly secured areas with restricted access such as the tarmac or the planes. Security checks are reinforced for entry to the most sensitive areas.
In information security, this translates into security measures such as more or less sophisticated authentication mechanisms (strong authentication, biometric measures, etc.) and acceptable use and integrity checks (IDS/IPS, DLP, etc.) in order to have control over access to the areas containing the organisation’s sensitive data, and control over the way that data is used.
Using the airport model, as well as protection measures, it’s essential to be able to detect any anomalies or incidents and to be able to act quickly and efficiently. This is the control tower’s role, whose mission is to look closely (at what happens inside the airport’s perimeter) but also to look afar (approaching planes). The control tower can react quickly in case of a problem and provide a suitable response, or call in reinforcements if need be. Within an organisation, this monitoring role should fall under the SOC’s (Security Operation Centre) responsibility, along with where necessary a CERT (Computer Emergency Response Team).
So that this model remains viable over time and in order to stay efficient while the threat evolves, it’s essential to review the security measures in place regularly. Before take-off, planes must undergo a security check, and faults are anticipated through preventative maintenance: it works the same way for information security – entitlements, verifications and updates must develop continuously.
A fully fledged transformation project
The main issue of this change won’t happen through the acquisition of new security solutions: as often as not the building blocks of the fortress can be reused to construct the airport. Above all, this challenge is in structuring a real information systems security transformation programme.
The programme combines technological (often based around attack detection) and organisztional (giving teams responsibility in functionalities and development, integrating new control processes, etc.) developments but should also disseminate the principles of assessing risk and associated architecture in all IT projects. There’s sometimes a great temptation to place sensitive unsecured systems directly into the airport’s public area…
Faultless steering of this programme and a demonstration of its efficiency through risk reduction will be the key success factors of this transformation!