A proxy-based model for externalizing and enforcing security policy is the right approach and becoming more, not less, relevant.
To be clear, I’m not just talking about network traffic proxies. I mean everywhere up and down the IT stack. For example, when web users talked to web applications, we use load controllers, web access management gateways and web applications firewalls to apply network and operational policy. All of these technologies allow us to inject our policy as traffic goes back and forth.
Ditto for web proxies, URL filtering and web security gateways enabling us to interpose policy between users and the web as they surf.
Ditto for SOA gateways (e.g. Amberpoint, Layer7, SOA Software, DataPower and so on) between services.
Conceptually, its the same with virtualization and APIs that enable the enforcement of security policy for virtual machines. If you think about it, the hypervisor / virtual machine monitor layer is like a proxy. This layer mediates all of the requests for memory, network and storage requests and so on. Introspection techniques and VMM-level APIs such as VMsafe let us inject policy here as well – both for server *and* desktop workloads.
Increasingly we don’t own or control all of the pieces of IT (the users, the devices, the components, the services, etc) that composite together to build a system. Are proxy-based models the best way ensure the application of security policy moving forward? I believe in most cases they will be.