End point security: a five-year craze?

Roy Harari
Roy Harari

End point security is widely considered as a key component in any transition towards implementing the much-hyped concept of deperimeterization.

But such a contention raises important questions as to how mature the end point security (EPS) market actually is today. Is deperimeterization really the optimum security choice for every type of organisation?

Firstly, it is necessary to define both terms. Traditionally, client devices such as desktops and laptops -also known as end points - were safeguarded against threats by firewalls at the network gateway or anti-virus scanners on central servers. End point security however, shifts the focus to the devices themselves, which run their own local security software.
The aim here is not only to defend the end points themselves, but to protect the corporate network from any potential harm caused by unsafe devices, using techniques such as access control and quarantine.

Deperimeterization, meanwhile, concentrates less on protecting individual items of equipment and more on defending sensitive corporate data and data flows.
To date, organizations tend to focus the majority of their security efforts generically at the network boundary to protect the systems within. Deperimeterization however, is about creating a secure architecture to help safeguard core systems and data against leakage using a defence-in-depth approach.

No need for expensive MPLS-style networks

The idea is this. If such systems and data are effectively protected, internal staff, remote workers and external stakeholders should all be able to securely exploit public infrastructure and services such as the internet to collaborate with each other and access the systems and information they need. Organizations therefore, should no longer need to invest in expensive MPLS-style networks.

A real-world example of this theory in practice is BP. The company has 18,000 staff using the internet to undertake their day-to-day work as part of a five-year plan to expose as many of the oil giant's applications as possible to the public network in a bid to cut costs.

Join in or get left behind…

Paul Simmonds, author of a number of positioning papers at the Jericho Forum, which originally came up with the term and evangelizes the concept, explains his take on the new security measure. "Deperimeterization comes to the conclusion that corporate and business borders simply inhibit business, while adding little in terms of security. The issue is really one of data rights management, and the philosophy says that the closer you get to the data, the easier it is to protect."

Simmonds uses the analogy of the US state, which does not opt to protect President Bush simply by deploying border guards. "It gives him personal protection and it's the same for security -VIP data has to be protected up close," says Simmonds.

"Deperimeterization comes to the conclusion that corporate and business borders simply inhibit business, while adding little in terms of security"
Paul Simmonds, Jericho Forum

However, while he describes deperimeterization as "a concept, a framework, even a business solution that should encompass all of your business", Simmonds sees EPS as more of a "point security solution, which may have some part to play in either the transition to a properly deperimeterized state, or the final end-state".

This suggests that while EPS technology is useful in certain circumstances, for wireless infrastructures for example, ultimately its life span will be limited.

" You'll see a peak in end point security in about three years time and then it'll decline. It has probably got a maximum five-year lifetime and then there'll be much better technology around. Various security protocols for things like voice-over-IP will be start to be delivered," Simmonds says. "At that point, we'll say 'it was a good idea at the time' and there'll always be niche areas where it's deployed, but for widespread corporate deployment, my take is that it'll never happen."

But it is within this five-year timeframe that Simmonds also expects deperimeterization to move into the mainstream. "You can just keep on adding security, but it will only last so long like King Canute holding back the waves. Whether people like it or not, deperimeterization is happening and they can either do something actively about it, or sit back and follow the flow, although that won't give them the same business advantages," Simmonds says.

Actively deploying deperimeterization however is no mean feat, he admits. It involves re-architecting organizations' infrastructure to "build in security from the ground up" and because of the high levels of investment this entails, it necessitates buy-in at senior levels.

EPS: a long way from perfect

Other industry watchers are not so convinced that the end is nigh for EPS or that deperimeterization is the answer for everyone. Roy Harari, Comsec Consulting's UK managing director and vice president of international business, believes that tackling EPS will be a central challenge for many organizations during 2007.
" It's a key issue of concern, but I'd say that the majority have yet to do it effectively. They're thinking about it, listening to the vendors and trying to understand what will work where, but in the meantime, they're either trying to enforce stronger policies or laying down draconian rules," he says.

For example, while most companies have insisted that programs such as anti-virus and anti-spam run on client devices for some time, the introduction of other technologies to tackle issues such as intrusion prevention, encryption or policy compliance such as Cisco's Network Access Control, are patchy at best.

This is not least, says Mike Gillespie, principal consultant at Advent Information Systems, because it is still unclear which of these technologies will take off or which vendors are likely to become market leaders.

' In some ways, it's a bit like the old VHS/Betamax situation at the moment. A lot of people are waiting to see which technologies bed in or not, so there are early adopters but the rest are still waiting to see what happens," explains Gillepsie.

Moreover, tackling EPS issues involves more than just ramming the technology in and hoping for the best. Phil Huggins, chief technology officer at consultancy Information Risk Management, believes that in order to build it into the infrastructure and manage it effectively, the network estate simply has to be well architected in the first place.

"Some organizations have implemented a bit of end point security, some have done a bit of this and that and others have done nothing. Where it has been introduced completely though, organizations have consistent builds across their entire network estate, otherwise it becomes a nightmare to manage. So end point security is as much about how you do it as about the technology itself," he says.

EPS: essential ingredient for deperimeterization

Nonetheless, he does see EPS as a useful component in any move to deperimeterization, particularly if organizations are using thin client architectures, because it provides a means of preventing data leakage from one of the most vulnerable areas of the corporate network.

"When it comes to deperimeterization, it's clear that the boundaries people are talking about are in many cases already broken"
Phil Huggins

" The organic growth of interconnected back end systems and applications has grown dramatically, which means that many industry chains are now integrated from clients all the way back to the product or service provider. So when it comes to deperimeterization, it's clear that the boundaries people are talking about are in many cases already broken," says Huggins.

He therefore believes that the concept makes a lot of sense for organizations that have a lot of partners and a highly integrated supply chain, but much less sense for those that are operate in a more standalone fashion.

" It's not a one size-fits-all response and I don't think many organizations will deperimeterize totally. Most will adopt some elements of it, probably on a piecemeal basis, some will use it as a roadmap and have the rigour to do it, but for others, it may not be the right solution," Huggins says.

Deperimeterization: too big for its boots?

Gillespie is even more sceptical, however, believing that deperimeterization is a big company concept for big companies wanting to improve the management of their huge and unwieldy networks.

" This has been dreamt up and is being driven by the Jericho Forum, which includes companies like ICI, HSBC and HBOS," he says. "It's about big global blue chips trying to drive a security agenda that's only really suitable for large corporates. If you set up a similar organization for SMEs, I'm sure they'd come up with quite a different argument."

As a result, he says, the majority of firms are looking at the debate from the sidelines to see where it all goes. To date, they have chosen not to leap head first into it. Another point, however, in his view, is that network perimeters are not so much disappearing as becoming more fluid.

" The perimeter has changed and we need a more modular, flexible approach to that. But organizations have invested heavily in gateway-based security so they're not going to throw it away," Gillespie says. Instead he believes it is more likely that small to medium organizations will adopt a "security layering" or defence-in-depth approach, "which is not a new concept".

This means that, while there will be more focus on client security, companies will still continue to undertake network segmentation, run firewalls and other more traditional technologies at the gateway.

On the one hand, Gillespie argues, most firms do not have the money to invest in cutting edge "deperimeterization" technologies such as Secerno's database assurance platform or to re-architect their infrastructure to cope with the shift. On the other, they are comfortable with their existing perimeter technology because they know what to expect and "it will take a long time to bring down the expectation of having a perimeter to secure".

As a result, Huggins concludes that the most likely scenario is that, "rather than everyone hitting the extreme philosophical stance that we all live on the internet and that's that, we're more likely to see components of deperimeterization being adopted over time due to ever increasing levels of connectedness".

What’s hot on Infosecurity Magazine?