Endpoint
6/10/2015
11:00 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
75%
25%

Why the Firewall is Increasingly Irrelevant

It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.

Firewalls only protect what work used to be, not what it is today: a distributed collection of employees connected by mobile devices, in turn connected to the cloud. The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. The truth of the matter is that business data is rarely confined to corporate network perimeters anymore. So why are IT professionals still using this vestige of a simpler time?

Inertia has a lot to do with it. Consider the firewall’s long tenure in the enterprise: The firewall first started protecting network perimeters in the late 1980s. Couple that with the amount of sweat that IT puts into it (There’s no need to remind you of how messy firewall implementations can get.) many companies continue to see the firewall as the cornerstone of their security efforts and increase the firewall investments with the new level of security risks. But whether on-prem or next-gen, the firewall increasingly isn’t the cornerstone of security -- and it’s time for IT to take steps to expel it.

Counterpoint: Firewalls Sustain Foundation of Sound Security by Jody Brazil, Co-Founder & CEO, FireMon.

In environments in which the firewall is still considered one of the primary lines of defense, security threats increasingly have a way of creeping in. To truly dedicate focus away from the firewall and into the areas where company data actually resides, it will take a dramatic reimagining of security. That starts with tearing down the firewall.

There are two key aspects of the new security reality that makes perimeter-based security so irrelevant:

Data resides on company servers and unsecured employee devices.
Employees are increasingly doing whatever it takes to get their jobs done quickly and conveniently. Often, that means they’re sharing and syncing company data on a cloud like Dropbox or Office 365 from their corporate computers and personal mobile phones or tablets. IT, meanwhile, remains unaware: A recent Ponemon survey found that 81 percent of IT organizations don’t know how much sensitive data resides on mobile devices and the cloud. These devices and cloud sharing applications do not necessarily even cross the corporate network at all and use available public hotspots and high-speed cellular data plans.

Your company data ends up everywhere.
Extrapolate that habit to all everyone who works with your company—from in-house staff, contractors, suppliers, partners, clients—and it’s clear that data is ending up everywhere. These people need help to secure the data. Worse, when such habits are playing out in the shadows, you can bet that the extra security measures you need (or require) aren’t being implemented.

That, in turn, means that data today is sitting unencrypted—and totally vulnerable—on employee private devices, which hold the same amount of company data that used to be on the network. But the firewall is not protecting them.

Businesses—and enterprises are especially guilty of this—are building a higher and higher wall around their network. However, the data is no longer confined to that network. Instead, reliance on the firewall has increasingly become a noxious threat of its own.

Separating the Truth from the Firewall
Here are three things you can do to transcend the firewall and really protect your organization.

1. Look beyond advances in legacy systems. Even a next-gen firewall with deep-packet inspection and cloud tokenization won’t secure sensitive data uploaded and downloaded into the consumer cloud by employees’ devices. Yes, the latest batch of firewalls are application-aware, so they may prevent company-provisioned devices from accessing certain unapproved cloud applications. But given that employees often choose productivity over regulations, they can still easily access these “must-have” productivity applications using their private devices, either from the outside or by using unregulated cellular data plans.

To protect data as it disperses across the consumer cloud and end-user devices, IT needs a solution that works with the consumer cloud, not against or despite it. The solution should add strong administrative insight and control without disrupting the user experience.

2. Do not add complexity. Another common solution is to enable an enterprise-grade alternative to forbidden consumer-grade applications -- or else to severely restrict the consumer app’s usage. This also rarely works. The reason so many professionals started using Dropbox in the first place is that it lets them get work done quickly; if your add-on security or alternative solution is too onerous, or disrupts the best parts of the cloud, people will find less secure workarounds. We’re past the phase where you force users to change habits, so the challenge instead becomes figuring out how to enable use of these applications in a way that adequately protects sensitive company data.

3. Controls, controls, controls. Security must follow files wherever they go. End-to-end encryption that extends to devices will seal the potential compliance gaps opened by file sync and remote work. A centralized dashboard that lets you see activity within your entire organization will help you observe unusual patterns. You should also be able to block access to data as needed, even for devices that are offline, and remove access to encrypted files.

All of this must happen in the consumer cloud. Server-side encryption isn’t sufficient, nor are enterprise cloud apps with which regular workers refuse to engage. You need to secure company data no matter where it resides. Otherwise, you end up guarding a wall around an empty shell, while your sensitive data remains exposed to all kinds of variables. That, to put it bluntly, is the opposite of security.

 

Asaf Cidon is the co-founder and CEO of cloud security company Sookasa. He founded Sookasa with the mission of enabling safe adoption of popular cloud services such as Dropbox to store sensitive information. He previously worked on the web search engineering team at Google ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
100%
0%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:28:41 AM
Don't denigrate the firewall

Firewalls are still a critical part of a company's defences, and dismissing them as a relic from a bygone era is unhelpful.  Yes, you need to consider the modern challenges of cloud and mobile working, but not at the expense of your firewalls.  Issues such as company data on personal devices and dropbox need to be addressed in addition to securing the network with firewalls, not instead of.  

I'm also tired of hearing people say that we should shrug our shoulders and accept that employees are going to keep company data on insecure personal devices regardless of company policies and so forth. Simply caving to the whims of users who don't care about security and expecting security professionals to work around them and find solutions is not good for anyone.  Give your security policies some backbone and enforce them.  Give your employees decent IT, at least as good as what they have at home, and make your security policies and guidance sensible and proportionate.  Make mobile device management good enough to secure your data but not intrusive or onerous.  If you do this there is no reason not to expect your users to work remotely in a sensible and secure manner.

Know how the cloud services you use secure your data.  Know what they've got that's yours, where it is, how it is encrypted, backed up, how they'll handle a transfer if you change or quit their service, and so on.

None of this negates the need for firewalls.  The firewall on its own won't keep you safe, but it's a key part of your defence in depth and you'd be foolish not to give it its due.

RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/17/2015 | 12:54:26 AM
It will take a while
I can't picture a real data center functioning without firewalls. As messy as they may be, network firewalls create restricted enclaves to discourage unauthorized access while permitting relatively freer access between enclave components. Server vulnerabilities will always be with us, and firewalls help mitigate them either temporarily or permanently.

A big chunk of the next generation IT workers seems to have a relaxed attitude regarding PII and sensitive information. For example, many I talk to think that keeping SSNs private is a silly and antiquated notion. I have little doubt that we will be seeing more high profile data breaches due to just plain old lack of concern and/or carelessness.

Since data is quite often an organization's most valuable asset, it should be treated as such.   Hence it should be assumed that routinely transmitting bulk data to storage systems not under direct control, and mobile devices, will only eventually compromise an organization's prime assets for the sake of convenience.

This stuff just isn't fun. My career dates back to pre-internet days when we were rolling out applications on closed internal systems. Hacking attacks from China and Russia were unknown and not even contemplated. We were able to expend our energies on innovation, not maddening security issues.  
jweiler021
100%
0%
jweiler021,
User Rank: Apprentice
6/12/2015 | 7:52:42 PM
Data volume is essential consideration
You never talk about the volume of data in the various locations that you cite as evidence of decreasing firewall relevance. The amount of sensitive data on mobile devices or cloud storage services is orders of magnitude less than data center servers, for which firewall protection is essential. Simply because the number of sensitive data locations that cannot be protected by firewalls is increasing, does not mean every firewall is less relevant. New protection technologies are certainly needed for these new locations, just as existing technology has some vital role in protecting other locations.
alejoseb
0%
100%
alejoseb,
User Rank: Apprentice
6/12/2015 | 6:41:21 PM
Many traditional technologies are not useful anymore
Thank you for your post. I would add that not only firewalls are increasingly irrelevant, many traditional technologies like antivirus software are not useful anymore to protect information assets. Mobile devices, cloud applications and negligent or careless users are jeopardizing this issue. However, your three points are very clear, we do not have fight  the ubiquitous modern  technologies (BYOD, cloud apps); instead, we must implement procedures that enable a secure use of these technologies in a hurry, before risky actions become habits that are not easily modifiable as you state on your second point.
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.