Phil Windley makes great points in an interview on relating security mechanisms to identity instead of Maginot lines, errr, I mean perimeters.
"In medieval times," Windley begins, "strong walls and moats surrounded great cities." He observes that the well-secured city gates became serious bottlenecks on market days but that people saw their fortifications as the only way to protect themselves. "The walls were not broken down by enlightened thinking about how markets should work," Windley continues, but rather by the emergence of the trebuchet: the gravity-powered catapult, far more efficient than earlier designs, which made it much more cost-effective to destroy walls than to build them. Security for cities had to be redefined, not in terms of withstanding siege but in terms of active engagement of the enemy."Modern corporations are the walled cities of our time," Windley argues, with a siege mentality of defense against cyber-attack—a view that leads to cumbersome and ultimately ineffective measures that are familiar to every IT administrator. At the level of individual users, password expiration and complexity rules lead to Post-it notes on monitors that put people's passwords out in plain sight; at the level of enterprise installations, firewalls accumulate application-specific exception rules that vitiate their protections.
Hard to conduct business when you have a siege mentality.