RSA 2014: CISOs must move beyond perimeter-based security
RSA 2014: CISOs must move beyond perimeter-based security

It's been fashionable of late to criticise perimeter-based security technologies, not least when they are discovered to be porous given the latest advanced malware, insider threats and the continually popular bring-your-own-device (BYOD) schemes and new Internet of Things trend.

Two industry analysts today continued that focus by urging CISOs and other IT managers to progress from traditional perimeter-based techniques and embrace a multi-layered, risk-based security approach.

That was the take-out from the ‘Castles in the Air: Data Protection in the Consumer Age' talk from Jason Clark, chief security and strategy officer at Accuvant, and John Deere global security strategist John Johnson at the RSA Conference in San Francisco today.

The title of the topic, and the mention of castles was particularly apt with Johnson equating castle defence – used effectively by armies in Europe and the Middle East from the 10th century – to today's common information security defence measures.

“I thought we lived in a castle. It was a black and white approach to keep out the bad guys and keep the good guys in,” said Johnson at the start.

“I think we've matured a lot – it's not a world we live in. A castle is built on high ground to see enemies far away, has thick and impervious ways, and the guards watch everyone who is coming in and out.

“But the walls are coming out and the perimeter is evolving. The internet doesn't have high ground or good visibility – and there are holes in the walls that we put in ourselves,” he added, referring to BYOD, email enclosures, wireless transfer, third-party apps and cloud storage. “We don't inspect all the traffic coming and going.”

Johnson instead urges an approach to ‘SMAC' (social, mobile, analytics, and cloud) and says that IT teams must engage with business to form security strategy “top-down rather than bottom-up”. He added that IT departments have for far too long been sitting on the "kiddies" table and, as such, have had little dialogue with the C-level suite.

But it was former Websense CSO Jason Clark who urged CISOs to look beyond the perimeter defence, although he was keen to stress that technologies like firewalls, anti-virus, and intrusion detection systems (IDS) are still important.

“I don't think the perimeter is dead, it's just changed. It's new and different. These strategies are 20 years old and have to change. A completely different way of thinking is required.”

“Authentication might be the new perimeter. The bad guys are going straight to the user and getting the data,” he added, touching on the increasingly common spear phishing and social engineering attacks.

As some way of showing that traditional perimeter based technologies aren't working and are being overused, Clark said that 80 percent of security spend is going on firewalls, IDS and anti-virus solutions, despite only being effective to 30 percent of threats. 

“How does that help in the cloud world? It's not. [Businesses] keep doing the same thing over and over again and expect the same result." Instead, he urges CISOS to move to a risk-based approach, where they evaluate the risk and the assets they want to protect.

This talk came just two weeks after the Kickstarter hack, which led SafeNet's VP of cloud services Jason Hart to tell SCMagazineUK.com that the days of perimeter-based defence are coming to an end.

“CIOs have long considered the best defence to be a good offense when it comes to handling security threats, so the vast majority of time and money is spent building the perimeter security measures that keep the outsiders from getting into the network,” Hart told SCMagazineUK.com at the time.


“But in the new reality of security, the best offense is now the best defence and encryption is the key to that.”