Cloud & Telecom Security

网络安全最常谈及的一个词 – 边界。这个边界是最早的网络安全焦点，养育了Checkpoint,PIX,Netscreen,ISS,等等安全公司和著名品牌。很多安全威胁、攻防、解决方案都围绕边界发生。我们讲P2P/IM/SNS等的出现侵蚀了传统的企业网络边界，天涯海角四处漫游的用户使得边界越来越“虚”，但是，边界依然是我们的第一防御重点，很多安全配置都成为标准配置，包括防火墙/IPS/IDS/UTM, Anti-DoS, VPN, WAF,等等。

云计算环境中，上述的传统边界依然存在，但是作为云服务用户，却需要更多考虑不依赖边界防护的解决方案，更为纵深防御的解决方案，因为云服务从性质上说是多租户的。你无法保证你的“室友”对你是无害的。从此意义上说，云计算环境下的安全架构设计需要更多考虑“边界”或“虚拟边界”的“室内卫生”。这是个巨大的商机，为此，Oracle,IBM,HP,CA,等近期都提高了基于数据库、大型应用自身的、IAM等的安全方案。两周前（1月19日）参加了Oracle在泽西城办的一个技术论坛。Oracle重点推介了围绕着数据库的身份、认证、授权、SOD职责分离、超级用户权限管理、审计等等一长线产品和解决方案。CA的安全广告也到处可见。

值得注意的是，这个“Deperimeterization”并不是不要边界防护，而是在传统“边界”防护的基础上，强调了“虚拟边界”和云服务内部安全。事实上，对抗拒绝服务、及时发现并修复Web漏洞、面向Web服务的细粒度有能力身份认证授权的WAF等在云安全中至关重要。

下面转帖一个TechTarget上对该此条的解释：

DEFINITION – In network security, deperimeterization is a strategy for protecting a company’s data on multiple levels by using encryption and dynamic data-level authentication.

Network administrators commonly use a castle analogy to explain their security strategy. Network devices are placed behind a firewall and security efforts are focused on keeping intruders out. Thus, company data is protected on the perimeter. With the advent of Web services, ubiquitous connectivity and a mobile work force, however, some administrators are beginning to question whether the traditional border model of IT security is practical.

The term deperimeterization was coined by Paul Simmonds of the Jericho Forum, a non-profit group dedicated to “the development of open standards to enable secure, boundaryless information flows across organizations.” Simmonds says that a hardened perimeter security strategy is impossible to sustain and is fundamentally at odds with an agile business model.

Simmonds points out that currently it can take from one to six months to set up a new sales office. A network administrator might have to design an extension to the corporate wide area network (WAN), negotiate a contract with a telecom and Internet service provider (ISP), install a local area network (LAN), set-up a virtual private network (VPN), and install telephones and desktop PCs to get the office up and running.

In the proposed deperimeterization model, the administrator would simply need to connect desktop PCs and VoIP telephones to the Internet, because all points of the company’s network, from front-end gateways to back-end components, would be secure. For such a strategy to work, all data on the company’s network would need to be encrypted and end-users, whether they were internal staff, customers, or business partners, would be given as-needed authorization to access specific pieces of encrypted data within the company’s network.