Forrester Research has made it official: the “walled city” model of enterprise network security is as out of date as the medieval fortress. Forget perimeter defense. What’s needed, going forward, is a far more intelligent and focused approach — one that’s more like snipers confronting attackers one-on-one than like massive and costly barriers, readily shattered by the cost-effective trebuchets of automated attack.
Going forward, it’s clear that outsourcing security is no longer a speculative idea or a low-budget approach. Rather, it’s a question of putting the expertise in the same space as the problem. Security in the cloud is more likely to be a professional service, managed by people whose entire business model depends on unimpeachable credibility in that space. I explored this question this past February in an eWEEK podcast, still on line if you’d rather listen than read. (My wife and my oldest son never got the credits they deserve for my weekly series of eWEEK InfraSpectrum programs: she did the voice-over intro, he wrote and digitally performed the intro and closing music.)
Security for ever-enriched Web-based offerings is therefore a top-tier concern, not just for consumer-facing applications but also for enterprise IT. This concern got some high-profile attention at the Black Hat conference in Las Vegas this summer, with one researcher raising red flags here at salesforce.com by innocently using our service as an hypothetical example of a “sidejacking” target: upon further review of salesforce.com security technologies and administrative options, that same expert quickly clarified his comments with a blog post that dubbed salesforce.com “the standard that others should follow.”
We can only hope that the future of security will look more like armored vests for the marketplace than like easily penetrated or shattered walls.