Some interesting comment on BP’s new deperimeterisation moves (more information here )
I’d agree with the sentiments expressed in TaoSecurity, I agree with the Jericho Forums position that every device should be able to stand on its own from a security perspective, however the idea of deliberately weakening the security afforded to laptops by connecting them directly to the Internet when they’re on the Corporate LAN seems like a very bad plan, as it reduces the numbers of layers of protection afforded to them needlessly.
Also it renders the security of the laptops very brittle, so if for example there is a problem with a change deployed to these devices which leaves them vulnerable to an attack, they won’t have the safety net of being behind a corporate firewall to allow the IT team time to fix the problem before it has an impact…
I’ve also been thinking, how is this going to work in practice? If the laptops are on the Internet, surely they’ll need to connect to Corporate IT assets, so they’ll need a VPN tunnel into the company. Also surely BP will still want to take advantage of centralised web site monitoring, Email Anti-Virus etc… So all the traffic from these laptops sitting in corporate offices will go through a VPN tunnel back into the corporate LAN then potentially back out onto the internet…. Surely that’s not a great plan from a cost perspective..