EAC Blog: Dealing with the death of the moat

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 15. Link here.

It tends to be hard to describe IT security to folks that only know about email and, maybe, their web browser. So you are always looking for a quick and universal analogy to make the concepts clear. The one I've been using for about 10 years is... the moat.

The moat is great. You put up a nice picture of a castle with a large moat protecting it and people get it. The bad guys are on the outside, so you build a deep, wide gulf between you and them and life is good, no?

Unfortunately, the moat is passé. Thinking about security as a moat no longer works, because you are intentionally dropping the drawbridge to let some of your "trusted" trading partners in to streamline operations. Or, at least, that was the story you were told. What about all of those insiders that have access because they work for you (or are consultants)?

Nowadays, we don't know who the bad guys are. So a deeper and wider moat is not really going to help. This phenomenon is called "de-perimeterization" in the trade. I'm not sure who came up with that term, and it kind of sucks, but it's what we've got. Suffice it to say, you need to spend some time focusing on how you are going to protect your environment when the bad guys can be anywhere. Literally.

So now you need to look at security from two perspectives. The first is "outside-in," which is still important. Bad guys are still out there, and, if you let your guard down, they'll compromise your defenses, turn your machines into zombies and steal your private data. Although the moat is no longer sufficient, it's still necessary.

The new wrinkle here is something that my pal Ted Julian (over at Application Security) calls "inside-out." Basically, you need to figure out how the data is used, who has rights to it, and a way to protect it. This is more art than science right now, and sometimes there aren't good answers. You should be thinking about how products in the database, content, and web application security spaces are potential solutions.

I've come up with a security architecture, called "Pragmatic Security," that aims to simplify how we talk about security, and make the point regarding the need to treat your infrastructure (outside-in) differently than your data/information/content (inside-out). Check out that post here. Of course, the lines blur at times, but this model has been well-received by folks trying to restore order to the chaos.

As disappointed as I am to not be able to explain security with the moat analogy anymore, I think it's good for the business. Maybe now we have to talk about two moats: one protecting the perimeter and one for
the data center. Not sure it gets there, but it's a start.