De-Perimeterization.

Publicated on : 1178810196
"A good, modern security architecture is ragged around the edges, full of holes and exists largely in people's heads"

-David Lacey, Royal Mail Group.

Introducing the first major security paradigm shift of the 21st Century.
de-perimeterization is something quite futuristic in the areas of security and basically it comes down to a very simple concept: Have less security and if you do, be sure it is practical and only protect what you need to protect. This goes right into a contradiction with all we know about security. And yet, it isn't such a strange idea afterall.

An example of de-perimeterization:
Take the ATM for instance, formerly we protected the full ATM machine with all sorts of mechanisms. In de-perimeterization we only focus on the cash cartridge for instance. We make sure that when the cartridge is opened some amount of ink is soaking the money and render the bills useless. Thereby we can construct simple ATM machines and still have good security. It will reduce the perimeter security and so only protect the asset that has value associated with it.

Thoughts about it, and how to apply it to web security?
Now this is a very interesting concept, probably one of the best I've ever heard of in the security industry. Sure, many people have thought about it. But this time someone invented a name for it: de-perimeterization.

I always say that security only means slowing down attacks and the likelihood of obtaining profit. It is a rather simple concept, the analogy of the vault is the best one. Imagine a vault of plastic. That is easy and quick to hack into, and because it can be done in very little amounts of time the likelihood that the bad guy will be caught is really small. Now imagine a steel vault with 1 meter walls. Sure, that could be opened also but how long will that take? 1 day? 2 days? In that time someone already contacted the police and you'll be sitting in prison. So the reason why they invented steel vaults is only to slow down attacks and to have more response time when someone notices that the vault is under attack. This is important because without notification of an attack everything can be broken in unlimited amounts of time.

That is a really old security principle, now the reason I like de-perimeterization is rather simple: Security doesn't need to be re-enforced but declined and even detection isn't really needed in this one example of de-perimeterization -there are more-. Cause when an attacker tries to attack an ATM with ink cartridges, he renders the possible profit in it useless when he tries to open the cartridge. He knows they use it so he won't even try to attack it because it's not profitable anymore.

Conclusion

de-perimeterization is a fairly new concept and yes it has been used before but not to the reall full extent as we would like. The issue for me is rather: if we can apply this to online security. I think that's a bit different, but why not? We could encrypt data in such a way it is useless for a hacker. Or render data useless in an attack, or lock it in such a way the hacker can't do anything with it. Like storing different parts of the same data elsewhere? It would be interesting to investigate the possibilities of de-perimeterization in web security.