VIEW 9
Where is the wall?
The castle model of cyber security is a useful way of illustrating some simple cyber security concepts, but it has a major flaw which is where do you put the wall? As the world becomes both more mobile and more interconnected, it is increasingly hard to draw the line between inside and outside from a system standpoint. This issue, known rather clumsily as de-perimeterisation, is a big challenge for security professionals.
Most cities in medieval times were surrounded by a wall for their protection. But as global trade flourished, these walls were torn down to improve the flow of goods and services. In London and Paris this happened in the 18th century, in Beijing not until the 1950s. For similar reasons, over reliance on perimeter security and a binary distinction between ‘us’ and ‘them’ is becoming an outmoded approach in the cyber realm.
The drawing of this dividing line can be framed as an attempt to find a balance between business drivers and security concerns. In the majority of cases, it is the business drivers that tend to win in the end.
Inside or outside?
The diagram to the right illustrates some of these issues. It is common for companies to use cloud-based software for client relationship management or accounting. Salesforce and QuickBooks are popular examples of these ‘software as a service’ (SaaS) packages. However, it is debatable as to whether they should be inside or outside the corporate perimeter. Similarly, most companies use contractors and third parties for software development or for website design; are they insiders or outsiders? Mobile working exacerbates the perimeter problem. Laptops and smart phones used for both office and home purposes blur the dividing line between the internal and the external zones. This issue is described by the acronym BYOD which stands for “Bring Your Own Device” to the workplace.
Lastly, one of the vulnerabilities most often exploited by penetration testers is the physical realm, particularly where an organisation has multiple office locations; it is difficult to maintain the same level of security across all of them. Most offices rely on third party contractors for building management services like cleaning staff and underfloor wiring. Should these individuals be under the same vetting and security regimes as employees?
The conclusion from all these examples is that it is almost impossible to draw a clear line between an organisation’s internal and external zones. The concept of a ‘castle wall’ is a useful but outmoded metaphor. There are other more apt analogies for cyber security (See View #11).
