John Pescatore

I imagine that even in cave-people days there were some cave-people who sold stuff to other cave-people. (I have an 18 year-old daughter and just can’t bring myself to say “cave men” anymore, but boy does it sound better) Once they sold some stuff they realized they need to sell more stuff, and if the old stuff didn’t wear out fast enough the sellers had a problem. Thus was born the concept of planned obsolescence, fashion, and refresh cycles. 

The technology world is no different – it loves refresh cycles and it loves to declare major changes that will drive new spending. That’s one of the parts of being in the analyst industry I don’t really like – we are quite often part of the problem. But at least on the security side we can continue to focus on the fundamentals of keeping the bad guys out, letting the good guys in, keeping the wheels on etc.

So, at Gartner we started covering things like SSL VPNs about 8 years ago – pointing out that this was allowing un-managed PCs to connect to the network and access business critical data. We started covering NAC (calling it Scan and Block back in the worm days) not long after that, as a key security process for dealing with new forms of remote access. And we were covering all the issues around the growing use of laptops and wireless more than 5 years ago – because our client were facing those problems.

But every few years some one likes to leap up and say “there is no more perimeter” becuase they have just noticed that there are laptops, use of home PCs, wireless etc. – even though most Gartner clients seem to have been dealing with those issues for several years. It is really just part of the technology industry need to try to declare the “next big thing” – doesn’t “software as a service” look awfully similar to “application service provider” to you? If you are old enough, is “cloud computing” really all that different than the “distributed computing environment”?

But, back to the perimeter: we’ve continued to use a very simple definition of the perimeter – it is where people connect to the business. What businesses always need to do is assert security policy as part of doing business, whether that protection is applied internally, externally or in-between. There will always be an inside and an outside (unless companies start sending paychecks to customers and products to employees) but business has always been done on both sides.

In the vast majority of businesses, it is really simple to tell the difference between the inside and the outside. There have been ubiquitous remote access connections and laptops for well over 5 years now and there are many connections between the two – but there are still differences between employees and outsiders (see guest access/NAC) and there are still huge amounts of fixed resources (see desktop computers and all servers) that don’t move and have well defined perimeters despite many years of talk of it disappearing. It turns out that there is no good business reason for it to disappear and many good business reasons for it to stay

Where consumption of services like SaaS (and outsourcing and hosting before that) pull those services from the data center to an external data center, you still find a pretty well defined perimeter there – because there is a good business reason for those providers to have perimeters and no good business reason for them not to have one.

The technology world in general loves to change terminology and create new definitions and new phrases but the business realities generally win out.