The Castle-and-Moat Era of Information Security is Over

CSO Magazine declares that the castle-and-moat era of information security is over. Acknowledging that this trend is not going to reverse itself, the article asks "But what defensive model comes next for information security if the perimeter goes away?"

Another part of the shift promoted by several experts involves a complete change in how security organizations view their efforts. "You cannot protect every house in the nation, so you create a border to the country," says Elad Baron, CEO at security provider Whale Communications. "The problem [with information security] is that you need lots of access, not just minimal access through those borders. There is still a perimeter, but you need to switch the paradigm from preventing everything to allowing secure access from anywhere."
From The World Is Your Perimeter - CSO Magazine - February 2004
Referenced Fri Mar 12 2004 14:45:07 GMT-0700

But actually, that's not quite true, is it? We do protect every house in the nation. The security blanket around my house is multi-layered and complex. It starts at the national border and goes down to the locks on my doors and personal alarm system. I was talking to someone last week about this and the idea that came up was that city walls became a thing of the past when technology for breaching them became widespread. That made securing things more complex, but it also enabled commerce in brand new ways. That's true of the current shift in how we think about information security as well.

New security paradigms demand that we turn the old model inside out and instead of viewing identity as a subtopic in security, start to view identity as the foundation for security. To do this, you have to think about identity first and independently and build an identity infrastructure that supports the business, including its security needs. My upcoming book addresses the topic of digital identity and focuses on how an enterprise can build an identity management architecture (IMA). An IMA doesn't describe how to implement an identity infrastructure, but rather defines a context within which the identity infrastructure is deployed. The IMA captures the security requirements of the business, along with the primary requirements of the business (such as partner relationships), so that the identity infrastructure can be built to meet those needs.