We are on the verge of a quiet revolution that will see a fundamental shift in our approaches to network security. This revolution, which has been gathering momentum for some time, will play out over approximately the next six years, with the result that it will be a lot easier for organisations to translate security policy into network security architecture by 2018. Why?
The answer is simple: identity. Today’s network security tools define and enforce security in terms of network addresses – VLAN tags, IP addresses, and port numbers. This method will give way to defining network security based on identity. To illustrate why this will happen, let me first tell the story of the Magic Key.
Here’s a simple everyday situation that we will all be familiar with: going on holiday. Perhaps you would like your next-door neighbor to come into your house while you’re away and water your plants, feed your cats, and generally keep an eye on things. You give her your key so she can let herself in while you’re away. Everything is fine and you come back from a lovely holiday… and then you move into another home.
Your neighbor now has the key to someone else’s house that just happens to be at the address where you used to live. You will need to get a new key cut and give her a copy; she will need to remember to throw your old key away and keep the new one; the people that moved into your old house will need to change the locks.
Let’s consider this as if it was an IT security project, where the requirement is to implement a policy using IT security tools. The policy – “my neighbor can let herself into my house when I am away on holiday” – is simple to understand. As humans, our policies need to be simple to understand and explain because we don’t do complexity well! The tools available to implement the policy – the door lock and the key – are address-based: the lock is fixed to an address because it’s part of the door. We can see how the policy requirements and the tools to implement the policy don’t line up at all: the policy is framed entirely in terms of identity (“I…”, “She…”, “my…”), whereas the tools available to implement the policy (the lock and key) only work in terms of address.
This analogy explains the fundamental problem organizations face: it is too hard to translate security policy objectives into network security architecture because the available tools do not align with the way people think about security.
Going back to my story, imagine a new type of key – a “Magic Key” that knows which house is my house regardless of my current address. With a Magic Key my neighbor can access my house when I am away exactly as before. When I move, there is no problem – my neighbor still has the key to my house. She doesn’t need new keys or need to throw keys away. The new residents at my old address don’t need to change the locks. I don’t need to get new keys cut. Because the system is based on identity rather than address, it is easier to setup and manage.
This is essentially the revolution that is coming: today’s network security tools basically only work with addresses (i.e., “who should have access to where”. In the very near future, security will be defined entirely in terms of “who should have access to what”, with “who” and “what” woven into the fabric of the network as opposed to relying on applications to handle identity, as we do today. Simple really, but it is only now that the technologies and standards are coming to market to deliver this vision.
Alongside the major networking vendors, who are all scrambling to have “identity aware” messaging in their product marketing, there are many other innovators in this area. BlackRidge will be exploring the implications of this transformation at the Infosecurity Europe conference on April 24 at 10:40AM in the session “Securing the Internet of Things”.
Still not convinced? With an address space that is unimaginably larger than IPv4, IPv6 will drive the final nail into the coffin of address-based security architecture. The quiet revolution is coming – be prepared!
Blackridge Technology International Ltd is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24–26 April 2012 at Earl’s Court, London. The event provides an unrivalled free education program, exhibitors showcasing new and emerging technologies, and offers practical and professional expertise. Visit the Infosecurity Europe website for further information.
James Rendell holds the position of EMEA technical director with BlackRidge Technology. In his 25-year career he has held a variety of strategic technical roles with security technology vendors and consulting firms, such as IBM and Deloitte. Rendell presents widely at industry forums and conferences throughout Europe on contemporary security topics such as VoIP security, system compromise, vulnerability exploitation, reverse engineering, cryptography, PKI, and strong authentication, and is a regularly quoted commentator on contemporary security topics, especially with regard to the emerging threat landscape.
In the course of his IT career, Rendell has worked on critical infrastructure and strategic security projects with many of the largest enterprises in the UK and Europe, encompassing computing platforms as diverse as OS/390 to Palm OS, with implementation skills ranging from assembler programming to penetration testing. In 2008 while at IBM, he was elected as an affiliate member of the IBM Academy of Technology in recognition of his work in the field of IT security, and in 2010 was appointed Director of e-Crime Prevention with Deloitte, based in London. In his spare time, when not working with computers, Rendell enjoys sailing.