Two recent items in my inbox:
- "PENTAGON SPENT MILLIONS TO COUNTER INSIDER THREATS AFTER WIKILEAKS FIASCO" - NextGov piece on how DISA has spent millions buying (and sometimes installing) the old McAfee Host Based Security Subsystem software but not much return on that investment.
- "DISA ELIMINATING FIREWALLS" - AFCEA Signal piece quoting DISA Director Lt. Gen. Ronnie Hawkins Jr. on the future DISA security architecture that will "designed to protect data rather than networks."
So, to summarize: in item (1) we learn that DISA has spent many, many millions over the years trying to make PCs and data secure and it doesn't work; while in item 2 we hear that the future architecture will rely on making hosts and information secure and then perimeters will disappear.
This is what divorce lawyers call "the triumph of hope over experience."
Look, it would be really nice if secure endpoints and secure data were possible - just as it would be really nice if chickens laid eggs that could be thrown in a grocery bag and survive the trip home. But the barriers to secure endpoints/data/eggs are very high and a decade of wishing it wasn't so (see Jericho Forum circa 2003) doesn't change that.
By the way, I could have added an item (3) above: "Software Defined Networks Will Build Security In" as another hype item along these lines.
The perimeter isn't going away - it continues to be the area in security that evolves the most rapidly to both address new threats and to add delivery mechanisms (software, network appliance, virtual instance, as a service, in the wired cloud, in the mobile cloud) as IT delivery mechanisms change.
The egg carton will likely disappear before the firewall.