Myth #2 -- The standard model of perimeter security protects the enterprise
In one sense, this is one of those myths that most practitioners already know to be false. Wherever you look (practitioners working at large enterprises, activists like the New School gang or the Jericho crew, or nearly any security blog) it’s not hard to see consistent criticism of the current working model for security. What's strange is that, in the face of this rough consensus of the failure of the standard model, why is there so little progress addressing the alarming acceleration of publicly reported breaches?
What we see
From our perspective, there’s pretty stark evidence that backs up the claim that the standard model is broken. With huge investment of coin, intellect, and time put into protecting digital assets - we see an alarming rise in the publicly reported rates of data breach. Clearly, the currently conceived notion of "best practice" for the protection of the data is not working.
When we look over the large number of data breach events that our customers prevented using DLP and when we see publicly reported breach events that clearly would have been stopped by our software had we been there - it's hard not to conclude that a central failing of the standard model is that it does not protect the data itself. The standard model does a fine job of protecting the containers of confidential data (firewalls protect the LAN, endpoint protection protects the hosts, access control protects the apps and files) but the data itself is left completely unprotected by these countermeasures.
Instead, what's needed is to focus on protecting the information itself by finding where it is exposed, tracing where it's sent, and knowing how it's being used. This novel approach, an approach widely called "Information Centric Security", represents a challenge to the standard model as well as a practical proposal to stem the tide of damaging large scale breaches.