NEWS
Energy group BP has shifted thousands of its employees off its LAN in an attempt to repel organised cyber criminals.
Rather than rely on a strong network perimeter to secure its systems, BP has decided that these laptops have to be capable of coping with the worst that malicious hackers can throw at it, without relying on a network firewall.
Ken Douglas, technology director of BP, told the UK Technology Innovation & Growth Forum in London on Monday that 18,000 of BP's 85,000 laptops now connect straight to the internet even when they're in the office.
Douglas said: "Hackers and virus writers have been a problem for years. But today there are very well-organised gangs in Russia, China and Brazil, with large teams and large server-farms, that are determined to get their hands on our internal data and our users' identities.
"Typically, companies use a firewall and assume that the local area network is secure. But we've come to the conclusion that the LAN has to go."
In the case of a laptop, it could be protected by a top-of-the-range firewall when plugged into the office network. But this is of no use if an employee connects at an unsecured wi-fi hot spot.
BP is a founder member of The Jericho Forum, which is pushing for the 'de-perimeterisation' of security. This means encouraging the security industry to help companies secure every part of their networks rather than just the points where they face the outside world.
Douglas explained that BP is putting this approach into action. "We've moved 18,000 of our 85,000 laptops to an environment where they link to the internet by default," he said, adding that BP believes it can "harden them" to the dangers of the web.
Graeme Wearden writes for ZDNet UK
Comments
There are 28 comments. Join the discussion
1. Steve Berry
Talk about being extremely risky !
From the info supplied, I completely fail to understand the rationale behind this.
If Corps do this, and even *one* of those machines gets compromised ( assuming a basic software config for all ) they'll *all* be compromised.
They're relying very heavily on existing client based firewall products.
If an exploit is found on the firewall products they're using (as is possible), they'll be leaving themselves way too open and we're talking a multinational Corp here which should be exhibiting a highly responsible set of ethics ! Not to mention the admin costs of securing 18,000 directly connected laptops.
I'd rather have a standardised perimeter/DMZ firewall based setup where if security is breached, at least they should have the processes/procedures in place to track where the problem was and take the appropriate action to harden the network accordingly.
2. Steve Berry
I could be wrong, but I think BP are playing "politics" and "accountability" here. Seems to me they're having trouble finding the right security "types" and rather than take internal responsibility for their own security they're effectively "passing the buck" to the providers of the products they're using. i.e. If our network is compromised because of your products we'll hold you responsible.
Why don't they consider spending a part of their considerably large financial resources to set up IDS/"honeypots/nets" (as
MS have done) if they're that concerned about security and employ proper "security types" to look after their network/create a "forward thinking" strategy that has a more reasonable chance of standing the test of time than this "effort ???" does ?
I'd really like to see the evidence of exactly how they came to this conclusion.
"BP believes it can "harden them" to the dangers of the web" does it ???
The only feasible way you're going to be able to do that is to unplug the network cards !
3. Steve Berry
Oh and another thing !
One of the most basic/simple tennants of IT Security is the concept of minimising the "attack surface" and creating a traceable infrastructure to allow potential breaches to be monitored.
What BP are effectively saying is "Oh, we really don't care about the attack surface". We've got 18,000 laptops we're just going to make available to hackers. We're so confident in firewalls we're willing to risk our business on it.
They're going against years of toil and sweat in the field of security based research based on what ???
Well all I can say is good luck.
Why won't I be surprised if the time comes that some poor unfortunate sod(s) from BP gets his/her/their books over this !
You guys/gals *really* need to take another look at what you're doing, research it and think it through.
What you're proposing is just plain nuts !
4. anonymous
Consumerisation of corporate computing is a future evolution. BP happens to be trying out tomorrows operating context today. I hope that the maturity of technology and user accountability is sufficient to sustain reliable operations in todays threat environment.
5. Steve Berry
What happens if there's a config failure on the clients ( Group Policy for example ) and firewall settings if using MSs default firewall product aren't applied ? Oops - there you go Mr/Mrs Hacker.
When was the last time you looked at an XP box and how many Security Updates MS have released ?
There'a also the question of extremely heavy reliance on constantly patching 18,000 external facing boxes.
What happens when MS release their next client ?
Going to put a helluva lot of strain on your Win AD admins.
Try covering it up all you like. Basically what you're doing just isn't very good/doesn't make a whole lot of sense.
You're not concentrating on the root cause of the problem - i.e. your problematic network.
You're making a bad problem even worse.
6. anonymous
There are many great reasons for simply doing yesterdays stuff cheaper today, and of course for a predictable life its safer to operate in the IT industry comfort zone.
There are very few truly innovative organisations that really push the boundaries to help create tomorrows stuff, and I applaud BP for trying. Right or wrong, good or bad AT LEAST THEY ARE TRYING.
7. Steve Berry
This has absolutely nothing whatsoever to do with "yesterday's stuff" cheaper today or operating in the IT Industry "comfort zone" - there is no such thing BTW.
I *may* not have a problem with what BP are doing *IF* they published more detail about why they're doing it - which they'll no doubt be reluctant to do as we're dealing with a sensitive subject.
Let's ask ourselves a few questions:
1-How are they going to monitor external intrusions with 18,000+ external facing boxes ? Are they even going to bother or is that part of the reason why they're doing what they are - so they don't have to bother ?
2-What happens *if* one of those boxes fail ?
3-Where is the logic in allowing 18,000+ potential "entry points" ?
If you think about this as a "fortified castle" with 18,000+ "sentries" how can they be sure that not one of them is going to "fall asleep" through a hardware/software/configuration failure ?
Let's forget about the hardware/software and look at this from a military planner's perspective.
Increased admin costs/burden associated with looking after 18,000+ "sentries". You've got patching to consider,machine lockdown, at the moment spyware issues, new client updates - e.g. 2K->XP->Vista ad infinitum....
8. anonymous
Next they will be considering using AOL for their email systems. Or maybe they already have.....
9. bob
Certain aount of logic, if users can connect through Wifi or other insecure networks, then those laptops need to be hardened. Harden all the laptops so that they are resilent to that threat, then they are even more secure when connecting on the friendly LAN.
Can't fault that logic...
Bob
10. anonymous
Why not. Most hackers concentrate on LAN's and how to break through the LAN securities in place. Individual computers seem to just be regular computers to the outside world and hackers and may be bypassed. Too early to tell though
11. Kirit
Steve Barry, you seem to be missing the point. The laptops are going to end up getting plugged in at WiFi points all over the place, home networks, client's networks, basically anywhere.
The point here is that whenever the laptop is plugged in to an unsafe network they are relying totally on the laptop's own defenses anyway. What they're not going to do is then allow that laptop back in behind their corporate defenses. If the laptop is compromised then it doesn't get a quick route behind the main corporate firewalls. The laptop is on the Internet and has to stay there forever never getting privilaged access to BP's other systems.
12. anonymous
I think Steve and the other person really missed BP point, it's there way of down sizing again. Take it from one who was there when BP bought Amoco. We were told that there were no layoffs in the IT department, oops, '99 saw a large shift to outside vendors doing all of the in house work. I was one.
After 20 years I said no thanks and left but the hand writing was on the wall.
13. anonymous
If connected directly to the Internet, how does the admin handle filtering Internet content? Even if the corporation is not concerned about "fantasy sports" sites and their potential impact on productivity, what about inappropriate content? I thought the corporation must try to offer a safe work environment free of "inappropriate popups". And what about downloading dangerous content from the Internet or accessing public mail sites from the Internet? Are we saying that people at work are no longer acting as "agents" of the company and therefore the company is no longer responsible for what they do on the Internet while working?
I'm assuming that once connected to the Internet, the laptop user would have to use VPN to access office resources and once connected, their access can be controlled. But if they disconnect VPN, aren't they now back in the wild?
14. anonymous
Looks like BP will soon have a good number of IT jobs coming available. Anyone interested in working for a company that want to throw away billions of pounds?
15. anonymous
One of the most basic tenets of security is 'Security in Depth'. By all means make the PRIMARY security posture desktop OS hardening and personal firewalls, but why REMOVE the perimeter firewall?
Makes no sense.
16. Robert Couch
It's almost the idea of Anonymity on the web...
It has been proven time and time again, that hackers can successfully locate large coporate infrastructures, and then try to comprimise them. It is my opinion that BP is trying the opposite - if you lose the large infrastructure, then there's no "Target" to hackers - thus increasing security through anonymity. However, this does create other problems, such as administrator headache with the loss of central administration.
It's a neat idea, and I'm sure other people have thought about it, BP is just the first reported case of following through with such a plan that I've seen reported about. I, for one, am interested in the developments in this security practice.
17. anonymous
What BP is doing makes complete sense. Instead of fighting the battle on two fronts, they are just treating laptops as insecure devices. This reduces the complexity of the whole problem. It does not reduce their ability to track issues, or determine cause.
The biggest problem they face now, is how to provide a sufficient level of access to their laptop users to ensure they can still achieve their productivity levels, without compromising on overall security. Possible, but difficult.
18. anonymous
This is crazy. It is common knowledge that external perimeter firewalls are not enough to protect a network but bypassing them and relying solely on client firewalls does not make much sense either. The sensible approach is a multilayered approach to secure both the perimeter and the client with different firewall/security products. These products address the same security problem from different aspects to help protect the systems when they are on the LAN and when they aren't. Am not sure what the IT security folks at BP are thinking but it can't be good for their network.
19. anonymous
This is a great idea. First, you remove a significant admin burden by making the machines always 'remote' - no need for seperate configs and lnone of those hated calls to the helpdesk from users having connectivity problems because either the client firewall is still active or their internet connectivity isn't working.
Second, you become more aware of the security risks by having machines always potentially under attack as opposed to becoming complacent about those laptops that never leave the office. One day your CEO will actually take his laptop home with him and that's when you'll wish you were more diligent.
20. James Thornton
Steve, you're making vast, sweeping generalisations about the client and domain config (You are of course assuming they use AD) that they are using, when you know nothing about the way their clients and their server infrastructure is configured. After all, these days the so-called "perimeter" is nothing. Nice hard shell round a squishy middle. An incorrectly configured corporate firewall is many times worse than a correctly configured, updated external client.
How many ports are open on YOUR firewall? And how many do you think are required for your systems to be owned?
And IDS and honeypots? Do me a lemon - that stuff is prehistoric - honeypots are just asking for trouble (both legal and technical), and an incorrectly configured IDS system is alovely way to gain access to all systems on your network.
BP is just extending the "no such thing as DMZ and perfect perimeters" theory which is rapidly becoming proven fact.
21. anonymous
Mr. Berry misses the point of the article. BP is only doing this for laptops, which can be moved inside or outside of the corporation firewall at will. You cannot rely on the corporate firewall for this class of computers. Our company has implemented a third party firewall solution on our laptops, which is configurable by a central console - when the laptop connects to the corporate network, firewall policies are downloaded for that machine. But this is only on piece of the security solution, anti-virus/spyware, VPN, browser configuration lockdown, patch updates. etc. I don't see the value in bypassing the LAN when laptops are on the company network though.
22. Rich T
I understand what BP is doing and it makes sense. The only issue with this as Mr. Berry has pointed out is the high cost of making sure all the laptops are properly protected, but this should already be part of their IT strategy.
The only people who may be upset about this are the hackers trying to get in or the employees who may find it more difficult to access some internal systems.
It does seem a bit risky in the sense that it would be difficult to prevent a user from plugging into the network anyway unless they are keeping track of all MAC Addresses and determining the connection based on MAC Address. That would be additional overhead to deal with.
23. Chris K.
This reminds me of a few years ago when a UK company got fed up and basically got rid of all corporate e-mail.
I think this is simply laziness under the guise of "security maturity". We'll see how it works our for them. There will be a major loss in productivity but with the recent advancements in Microsoft's information sharing products (like the new version of Office, SharePoint, etc.) and other groupware products, who knows, maybe this could be the way to go in the future.
Man I'm sure glad I'm not supporting those guys.
24. anonymous
I agree with those who say that allot of people don't get it.
If you have laptops that are out in the road more than half the time, you are blinding yourself by thinking that you have security by connecting directly to the LAN. You still protect your servers behind a firewall, but force everyone to connect via a VPN, just like they do when they are from the outside. If a laptop does get infected, it won't bring the infection inside the LAN by directly connecting to it. It makes allot of sense. If you question how the client firewalls and other security software can get updated, I hope you have already answered that question when allowing laptops to connect to your network from outside.
25. anonymous
"BP is just extending the "no such thing as DMZ and perfect perimeters" theory which is rapidly becoming proven fact."
As a founding member of Jerico, I can imagine they have to do something.
What BP is doing is getting rid of one DMZ - the interface between the users and the corporate network - and simply saying that they will treat their laptop users as hostile.
When BP removes the DMZ from around their precious data centers, it will be time for a closer look. At the moment, it's simply something to keep an eye on.
I'm curious to see a ROI on this - 18k users with "can't get to the DC" problems will be an interesting problem to solve, and I don't see any savings on the local infrastructure side.
26. Patrick Dooley
In a way they are right. It probably is a good idea that we all think that the access point (Display, Print or whatever) is the weakest link. This approach leads to securing your data repositorys, transport infrustructure, and applications from every direction and I like that.
Peace
27. Chris Elvidge
So, my laptop (fully hardened) connects directly to the internet over a ~2Mb link.
My server also connects to the internet over a ~2Mb link. To get data from the server I'm limited to 2Mb.
A bit of a comedown from my usual Gb ethernet connection.
And how do I get a new set of 18000 routable (85000 if all goes well, I assume) IP addresses - what a waste of (address) space.
28. anonymous
It is a way of thinking. When moving all corporate workstations out to Internet and treat all of them as hostile ones ... The corporate LAN becomes clearly definied and highly protected resource when only 'server side' services resides.
It challenges a way of thinking about security - can be global corporate LAN/WAN really secure ? What is real difference when laptptop is in/out corporate LAN ?
Let us see how they will handle that