Tuesday, January 20, 2009

Deperimeterization without endpoint control?

Do you know what that is? That's a complete disaster!I've got the tip for this very interesting Burton Group discussion from Anton Chuvakin's post (who also has an overflowing "2blog" queue :-).There is a way to summarize that discussion. The key issue on deperimeterization is the control over the endpoint. If you are pushing the defenses to the endpoint, you better control it. So, if you are allowing endpoints that you don't control to access your data, it's not your data anymore.Think for a moment, how a data-centric security approach would work? It would be something like agents that run on every endpoint or that go together with data, encapsulating it. Either way, it will run on the endpoint. If the user is controlling the endpoint ring-0 by having admin rights on the box, he will be able to modify/trick the security agent into doing things with the data that it shouldn't be supposed to do. Now, quick answer, how can you avoid users from having admin rights over their own devices? You can't!Imagine that you have printed some very sensitive document in a very, very bleeding edge technology paper. It can't be copied by any photocopy machine, and it will destroy the data on it if someone tries to put it through one of those machines. If you allow someone to get that paper to anywhere where you can't see them, they will copy it like the XII century monks used to do it! So, what can be done to avoid it? First, the user can NEVER control the device. How can you avoid that if he owns it? Well, I don't like it, but the only alternative is something like a very broad adoption of the TPM. However, I doubt that those devices will become popular, and if that happens also will be the ways to hack it.The other alternative is not that cool, but I believe it's closer to reality. Things will still be like what they are today. I mean, we'll still have to put some restrictions over which devices can be used, we'll still have to have some control over the physical and network environments, will still have to deal will ACCESS CONTROL. That's not as sexy as virtualization, deperimeterization and any other ation, but it's the root of information security. We'll still have to choose carefully who can access the information and under which circunstances it will happen.Did you really think that, with all these new variables, security would be that simple? :-)