I just returned from NISC - the National Information Security Conference - held this year in Cumbernauld in Scotland. The theme of this event was “the diminishing network perimeter”. With the advent of smart phones, tablets, Kindles and BYOD, the boundaries between the work and home environment have dissolved so how do you maintain the security of your corporate network? How does this impact on the corporate network, and how much can you put into the cloud?
There were many interesting sessions around this theme and, as well as giving a talk on the Deadly Sins of Cloud computing, I sat on a panel which discussed the diminishing network perimeter.
Amongst the other sessions – one by Dr Simon Shui of HP labs provided an interesting and different perspective on Cloud computing. Dr Shui has been working with Professor David J. Pym at the University of Aberdeen on the subject of “Information Stewardship in the Cloud”. They have developed a series of economic and mathematical models that explore various aspects of the emerging cloud ecosystem. These models allow the exploration of different priorities on information stewardship as well as the relative success of different policies and the attributes or platforms and providers.
I was honoured to be part of a panel, chaired by Gerry O’Neill, which discussed the diminishing network perimeter. In my opinion - the network perimeter is and always was an illusion created as a comfort blanket. We need to get over the idea that the whole organization can somehow be isolated – it can’t. The business perimeter is long gone. What is commodity is outsourced, only what adds value is retained. We need to remember that, in general, IT is now a commodity. In this new world indirect governance now replaces hands on management. This approach is essential when you acquire services rather than produce them yourself. In general internal IT organizations have focussed on how to do it themselves and are not good at indirect governance. For indirect governance to succeed it is important to:
a. Really understand the business requirements (which include need for compliance and risk appetite) b. Understand what data you have and the value of this to your business. c. Base IT architecture, and decisions about how to acquire IT services on these requirements. d. Assess risk and choose risk response on real need rather than theoretical possibilities. e. Make sure that responsibilities are clearly defined and set controls and measure performance against this business need.
We can no longer design IT systems on the assumption that they will be run in-house. We can no longer rely on a notion of a secure perimeter as the basis for IT security. IT systems should be designed to run in whatever location is best from a point of view of cost and risk.