Top 5 Stories


AT&T security chief: mobiles are the “nail in coffin” for trust, and the perimeter

19 June 2012

The man responsible for the security of AT&T’s network recently told one audience that mobility is perhaps the death knell for trust within an organization’s network perimeter. His solution lies in a gradual network-based security strategy that moves your assets into the cloud.

While admitting that no security is perfect, Ed Amoroso, AT&T senior VP and chief security officer, demonstrates why each layer of complexity in our IT infrastructure has led to declining levels of trust. The old perimeter-based strategy was highly trusted, but still not completely secure at all times.

But according to Amoroso, the addition of mobile devices – especially those lacking controls – has ushered in the complete collapse of the perimeter, and with it the concept of trust altogether. Yet the situation is not helpless, as he asserted, and then began to lay down the framework for a more trusted security, for both today and into the future.

At the company’s recent Cyber Security Conference in New York, Amoroso joked that his ideas – primarily critical of perimeter security as a model – were a bit strange for a person who is responsible for perimeter security at one of America’s largest internet and network service providers.

He also recognized that he’s not the first to observe the death of the perimeter. Organizations like the Jericho Forum, Amoroso recalled, have been advocating this worldview for some time. To his knowledge, however, there has yet to be a solution he would call “workable” enough to provide address the trust issues, and by extension security.

His proposal is one that involves gradually moving data, applications and even security into the cloud – one asset at a time – and learning how to apply this method to subsequent assets. It’s a concept Amoroso calls “orbital security” and it involves moving much of security into the network layer. The process, AT&T fellow suggested, would help organizations regain some of that trust they seem to be loosing as technology evolves.

The formula lies on a basic assumption, according to Amoroso: “risk in our lives has to be balanced”. In our current situation, he noted, “in computer security we have one of those situations where things are out of balance…the risk and potential consequences have become too high.”

There was a time where the security function could approach its management and demonstrate the quality of the organization’s network security with a firewall – but that was back in 1993, Amoroso quipped. We soon added email, the web, VPN, and access by third parties. Then there was the evolution on the darker side, which included malware and now advance persistent threats.

Now we exist in a world, Amoroso declared, where mobile devices lacking controls are on enterprise networks, and this has inaugurated an era of no perimeter, and no trust. “It’s the nail in the coffin of the perimeter”, he said, referring to the security threats mobile devices pose.

After more than 20 years of information security, Amoroso lamented, the trust situation is at “ground zero”, leaving both people and organizations as relatively safe (or unsafe) as before in cyberspace. The problem is not a lack of effort on the part of vendors, IT security professionals, or researchers, but lies in our inability to provide a framework that keeps up with advances – both in technology and the techniques employed by adversaries.

“The first step” in regaining this trust, he continued, lies in asking yourself: “If you can’t protect everything, then why don’t you pick some things, and do them well?” Amoroso suggested that organizations “selectively pick some things that really matter” while at the same time employing those traditional perimeter defenses they have always been required to maintain.

“Let’s see if we can protect one thing”, he added, “and then use that as an algorithm to protect more”.
Now you have the ability to return to a quasi-parameter strategy, Amoroso said. This carefully chosen asset can now be placed into its own perimeter, building out and layering on access policies. Subsequently, different layers of security can be linked to certain assets depending on risk, all the while placing the security architecture in the cloud to provide a buffer between people trying to access information and the assets themselves.

In essence, Amoroso’s construct is based on the assumption that it’s easier to build new sphere of secured assets in the cloud (public or private) orbiting around the central axis of the network security layer. It allows people to access cloud-based assets on the front end, while passing through the network service provider’s security later, and finally ending up on the back end of your organization’s asset in the cloud – each with a level of security commensurate with the asset’s requirements. It’s the aforementioned “orbital model”: think of the network layer as the sun in our solar system, with cloud based assets represented by the planets – and man-made space craft providing the equivalent of people trying to access organizational assets.

The internet service provider, Amoroso asserted, is the link between organizations and people that can make this model work in the future. And why is the case, he asked? “Because we are the great constant – you have to have a service provider”.

He then asked where organizations in the future would do things like encryption, intrusion prevention, and firewall policies. If they try to do it for their mobile devices, Amoroso concluded, they will find themselves becoming mini mobile service providers, repeating mistakes of the past.

Regardless of whether you agree that security should be handled at the service provider level, Amoroso said that all organizations will have to solve the problem of where they will do policy enforcement on mobile devices.

“You can try and tether your wireless devices to some new parameter...but that’s not going to work. We need something different”, Amoroso opined. “If we do this right, one of our contributions to the workplace [will be] that people will be as productive at Starbucks as they are in the office.”

This article is featured in:
Application Security  •  Cloud Computing  •  Compliance and Policy  •  Data Loss  •  Encryption  •  Identity and Access Management  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security



chrisgillham says:

19 June 2012
Don't you mean "perimeter", not "parameter"?

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×