AT&T security chief: mobiles are the “nail in coffin” for trust, and the perimeter

Amoroso's concept, called “orbital security”, involves moving much of security into the network layer
Amoroso's concept, called “orbital security”, involves moving much of security into the network layer

While admitting that no security is perfect, Ed Amoroso, AT&T senior VP and chief security officer, demonstrates why each layer of complexity in our IT infrastructure has led to declining levels of trust. The old perimeter-based strategy was highly trusted, but still not completely secure at all times.

But according to Amoroso, the addition of mobile devices – especially those lacking controls – has ushered in the complete collapse of the perimeter, and with it the concept of trust altogether. Yet the situation is not helpless, as he asserted, and then began to lay down the framework for a more trusted security, for both today and into the future.

At the company’s recent Cyber Security Conference in New York, Amoroso joked that his ideas – primarily critical of perimeter security as a model – were a bit strange for a person who is responsible for perimeter security at one of America’s largest internet and network service providers.

He also recognized that he’s not the first to observe the death of the perimeter. Organizations like the Jericho Forum, Amoroso recalled, have been advocating this worldview for some time. To his knowledge, however, there has yet to be a solution he would call “workable” enough to provide address the trust issues, and by extension security.

His proposal is one that involves gradually moving data, applications and even security into the cloud – one asset at a time – and learning how to apply this method to subsequent assets. It’s a concept Amoroso calls “orbital security” and it involves moving much of security into the network layer. The process, AT&T fellow suggested, would help organizations regain some of that trust they seem to be loosing as technology evolves.

The formula lies on a basic assumption, according to Amoroso: “risk in our lives has to be balanced”. In our current situation, he noted, “in computer security we have one of those situations where things are out of balance…the risk and potential consequences have become too high.”

There was a time where the security function could approach its management and demonstrate the quality of the organization’s network security with a firewall – but that was back in 1993, Amoroso quipped. We soon added email, the web, VPN, and access by third parties. Then there was the evolution on the darker side, which included malware and now advance persistent threats.

Now we exist in a world, Amoroso declared, where mobile devices lacking controls are on enterprise networks, and this has inaugurated an era of no perimeter, and no trust. “It’s the nail in the coffin of the perimeter”, he said, referring to the security threats mobile devices pose.

After more than 20 years of information security, Amoroso lamented, the trust situation is at “ground zero”, leaving both people and organizations as relatively safe (or unsafe) as before in cyberspace. The problem is not a lack of effort on the part of vendors, IT security professionals, or researchers, but lies in our inability to provide a framework that keeps up with advances – both in technology and the techniques employed by adversaries.

“The first step” in regaining this trust, he continued, lies in asking yourself: “If you can’t protect everything, then why don’t you pick some things, and do them well?” Amoroso suggested that organizations “selectively pick some things that really matter” while at the same time employing those traditional perimeter defenses they have always been required to maintain.

“Let’s see if we can protect one thing”, he added, “and then use that as an algorithm to protect more”.
Now you have the ability to return to a quasi-parameter strategy, Amoroso said. This carefully chosen asset can now be placed into its own perimeter, building out and layering on access policies. Subsequently, different layers of security can be linked to certain assets depending on risk, all the while placing the security architecture in the cloud to provide a buffer between people trying to access information and the assets themselves.

In essence, Amoroso’s construct is based on the assumption that it’s easier to build new sphere of secured assets in the cloud (public or private) orbiting around the central axis of the network security layer. It allows people to access cloud-based assets on the front end, while passing through the network service provider’s security later, and finally ending up on the back end of your organization’s asset in the cloud – each with a level of security commensurate with the asset’s requirements. It’s the aforementioned “orbital model”: think of the network layer as the sun in our solar system, with cloud based assets represented by the planets – and man-made space craft providing the equivalent of people trying to access organizational assets.

The internet service provider, Amoroso asserted, is the link between organizations and people that can make this model work in the future. And why is the case, he asked? “Because we are the great constant – you have to have a service provider”.

He then asked where organizations in the future would do things like encryption, intrusion prevention, and firewall policies. If they try to do it for their mobile devices, Amoroso concluded, they will find themselves becoming mini mobile service providers, repeating mistakes of the past.

Regardless of whether you agree that security should be handled at the service provider level, Amoroso said that all organizations will have to solve the problem of where they will do policy enforcement on mobile devices.

“You can try and tether your wireless devices to some new parameter...but that’s not going to work. We need something different”, Amoroso opined. “If we do this right, one of our contributions to the workplace [will be] that people will be as productive at Starbucks as they are in the office.”

What’s hot on Infosecurity Magazine?