Chairman Bill Gates and chief research and strategy officer Craig Mundie, Gate’s heir apparent, used a fairly pedestrian RSA Conference keynote speech in San Francisco yesterday to talk about the direction enterprise security is taking.
We need to move to create a way of describing these things by policy, not topology, the key sound-bite in the keynote, came from the mouth of Mundie, who got all the good lines and is clearly being groomed for his forthcoming role as Microsoft’s most public thinker.
Almost all the protection in the past has tended to gravitate around the topology of the network, you can get at this segment or not that segment, you can get at this IP address or not that IP address, he said. But today the demands are really for a lot more flexibility, not just within the part of the network you control, but to extend to the network parts that you don’t control.
This probably came as no surprise whatsoever to most people in the room.
Remote and roaming workers, outsourcing, offshoring, on-site contractors, wireless, USB drives, web services – the idea of the network perimeter as the end-all of security has long been a big joke.
The idea of deperimeterization, as this idea of a borderless network topology is referred to by some, has been around for a while.
Notably, the Jericho Forum, an enterprise IT user group, has been lobbying for vendors to address the matter for about three years.
Paul Simmonds, chief security officer at chemicals giant ICI Plc and Jericho’s co-founder, said he was encouraged by the noises Microsoft is making, but said he gave the Gates-Mundie speech 4 or 5 out of 10, based on what technologies they pitched to solve the problem.
Microsoft has finally got it at a high level, he said. But he added: They’re at the point a lot of people in Jericho were a couple of years back. They get the concept but haven’t fully thought it out yet.
In essence, Jericho is looking for vendors to bake security into their products and protocols to the point that data is secure in transit and at rest and can only be accessed by the appropriate people or machines, so the need for a thick perimeter of security devices is minimized. Insecure and proprietary protocols need to be broadly ditched too, the theory goes.
Simmonds’ favorite case study is Jericho member BP, the oil company, which kicked 18,000 employees off its LAN a year ago, giving them raw internet connections and doing all the security on the clients. That’s the kind of thing Jericho wants to see more feasible and more widespread.
Simmonds was not particularly impressed with some of the technologies Microsoft’s top executives pitched yesterday.
Gates and Mundie plugged IPv6 and IPSec as ways to do many-to-many security. IPSec becomes easier when you move from IPv4 to IPv6, and Windows Vista and the forthcoming Longhorn version of the Windows server OS both feature better support for IPv6.
Windows XP already supports IPv6-over-IPv4 tunneling, but Vista and Longhorn will make it easier to run completely native IPv6 networks, Gates said. With IPSec, you get access control and encrypted data in transit, he said.
I started to think that Microsoft is missing point, as far as what Jericho is espousing, said Simmonds. IPv6 is not going to solve your problems. In fact it may make some problems worse.
One problem is voice over IP, he said by way of example. VoIP is designed to put call quality and low latency over data integrity, whereas IPSec is designed to ensure the integrity of the data at all costs.
You can’t encapsulate VoIP over an IPSec tunnel, Simmonds said. Well, you can, and it’ll work 80% of the time. People are used to five-nines reliability on voice, not 20%.
Securing data in transit is not the only concern nowadays, of course. The breaches that caused the reddest faces last year were those when executives had left laptops chock full of sensitive customer information in the backs of cabs.
For data at rest, Gates plugged BitLocker, the technology in Vista that applies AES encryption to the entire disk volume, requiring authentication and decryption before data is accessed.
It does seems that Microsoft is conscious of the idea of the deperimeterized network.
We could continue to invest in this fortress mentality of protecting everything, but I don’t think that that will be sufficient, Mundie said during his keynote.
There are clearly benefits to having some of these capabilities, and we need to move gracefully beyond them, but I think most people would agree that our castle is fairly porous, because a lot of the assets actually leave the castle, he said.
(The metaphor was apt. While last year’s RSA Conference had mathematics’ roots in ancient India as its theme, this year’s show has a distinctly medieval flavor. Dancing monks replaced last year’s Bollywood-style exuberance during the opening ceremony.)