Endpoint

6/10/2015
11:00 AM
Asaf Cidon
Asaf Cidon
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
75%
25%

Why the Firewall is Increasingly Irrelevant

It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.

Firewalls only protect what work used to be, not what it is today: a distributed collection of employees connected by mobile devices, in turn connected to the cloud. The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. The truth of the matter is that business data is rarely confined to corporate network perimeters anymore. So why are IT professionals still using this vestige of a simpler time?

Inertia has a lot to do with it. Consider the firewall’s long tenure in the enterprise: The firewall first started protecting network perimeters in the late 1980s. Couple that with the amount of sweat that IT puts into it (There’s no need to remind you of how messy firewall implementations can get.) many companies continue to see the firewall as the cornerstone of their security efforts and increase the firewall investments with the new level of security risks. But whether on-prem or next-gen, the firewall increasingly isn’t the cornerstone of security -- and it’s time for IT to take steps to expel it.

Counterpoint: Firewalls Sustain Foundation of Sound Security by Jody Brazil, Co-Founder & CEO, FireMon.

In environments in which the firewall is still considered one of the primary lines of defense, security threats increasingly have a way of creeping in. To truly dedicate focus away from the firewall and into the areas where company data actually resides, it will take a dramatic reimagining of security. That starts with tearing down the firewall.

There are two key aspects of the new security reality that makes perimeter-based security so irrelevant:

Data resides on company servers and unsecured employee devices.
Employees are increasingly doing whatever it takes to get their jobs done quickly and conveniently. Often, that means they’re sharing and syncing company data on a cloud like Dropbox or Office 365 from their corporate computers and personal mobile phones or tablets. IT, meanwhile, remains unaware: A recent Ponemon survey found that 81 percent of IT organizations don’t know how much sensitive data resides on mobile devices and the cloud. These devices and cloud sharing applications do not necessarily even cross the corporate network at all and use available public hotspots and high-speed cellular data plans.

Your company data ends up everywhere.
Extrapolate that habit to all everyone who works with your company—from in-house staff, contractors, suppliers, partners, clients—and it’s clear that data is ending up everywhere. These people need help to secure the data. Worse, when such habits are playing out in the shadows, you can bet that the extra security measures you need (or require) aren’t being implemented.

That, in turn, means that data today is sitting unencrypted—and totally vulnerable—on employee private devices, which hold the same amount of company data that used to be on the network. But the firewall is not protecting them.

Businesses—and enterprises are especially guilty of this—are building a higher and higher wall around their network. However, the data is no longer confined to that network. Instead, reliance on the firewall has increasingly become a noxious threat of its own.

Separating the Truth from the Firewall
Here are three things you can do to transcend the firewall and really protect your organization.

1. Look beyond advances in legacy systems. Even a next-gen firewall with deep-packet inspection and cloud tokenization won’t secure sensitive data uploaded and downloaded into the consumer cloud by employees’ devices. Yes, the latest batch of firewalls are application-aware, so they may prevent company-provisioned devices from accessing certain unapproved cloud applications. But given that employees often choose productivity over regulations, they can still easily access these “must-have” productivity applications using their private devices, either from the outside or by using unregulated cellular data plans.

To protect data as it disperses across the consumer cloud and end-user devices, IT needs a solution that works with the consumer cloud, not against or despite it. The solution should add strong administrative insight and control without disrupting the user experience.

2. Do not add complexity. Another common solution is to enable an enterprise-grade alternative to forbidden consumer-grade applications -- or else to severely restrict the consumer app’s usage. This also rarely works. The reason so many professionals started using Dropbox in the first place is that it lets them get work done quickly; if your add-on security or alternative solution is too onerous, or disrupts the best parts of the cloud, people will find less secure workarounds. We’re past the phase where you force users to change habits, so the challenge instead becomes figuring out how to enable use of these applications in a way that adequately protects sensitive company data.

3. Controls, controls, controls. Security must follow files wherever they go. End-to-end encryption that extends to devices will seal the potential compliance gaps opened by file sync and remote work. A centralized dashboard that lets you see activity within your entire organization will help you observe unusual patterns. You should also be able to block access to data as needed, even for devices that are offline, and remove access to encrypted files.

All of this must happen in the consumer cloud. Server-side encryption isn’t sufficient, nor are enterprise cloud apps with which regular workers refuse to engage. You need to secure company data no matter where it resides. Otherwise, you end up guarding a wall around an empty shell, while your sensitive data remains exposed to all kinds of variables. That, to put it bluntly, is the opposite of security.

 

Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyonKnight
100%
0%
RyonKnight,
User Rank: Strategist
6/23/2015 | 7:28:41 AM
Don't denigrate the firewall

Firewalls are still a critical part of a company's defences, and dismissing them as a relic from a bygone era is unhelpful.  Yes, you need to consider the modern challenges of cloud and mobile working, but not at the expense of your firewalls.  Issues such as company data on personal devices and dropbox need to be addressed in addition to securing the network with firewalls, not instead of.  

I'm also tired of hearing people say that we should shrug our shoulders and accept that employees are going to keep company data on insecure personal devices regardless of company policies and so forth. Simply caving to the whims of users who don't care about security and expecting security professionals to work around them and find solutions is not good for anyone.  Give your security policies some backbone and enforce them.  Give your employees decent IT, at least as good as what they have at home, and make your security policies and guidance sensible and proportionate.  Make mobile device management good enough to secure your data but not intrusive or onerous.  If you do this there is no reason not to expect your users to work remotely in a sensible and secure manner.

Know how the cloud services you use secure your data.  Know what they've got that's yours, where it is, how it is encrypted, backed up, how they'll handle a transfer if you change or quit their service, and so on.

None of this negates the need for firewalls.  The firewall on its own won't keep you safe, but it's a key part of your defence in depth and you'd be foolish not to give it its due.

RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/17/2015 | 12:54:26 AM
It will take a while
I can't picture a real data center functioning without firewalls. As messy as they may be, network firewalls create restricted enclaves to discourage unauthorized access while permitting relatively freer access between enclave components. Server vulnerabilities will always be with us, and firewalls help mitigate them either temporarily or permanently.

A big chunk of the next generation IT workers seems to have a relaxed attitude regarding PII and sensitive information. For example, many I talk to think that keeping SSNs private is a silly and antiquated notion. I have little doubt that we will be seeing more high profile data breaches due to just plain old lack of concern and/or carelessness.

Since data is quite often an organization's most valuable asset, it should be treated as such.   Hence it should be assumed that routinely transmitting bulk data to storage systems not under direct control, and mobile devices, will only eventually compromise an organization's prime assets for the sake of convenience.

This stuff just isn't fun. My career dates back to pre-internet days when we were rolling out applications on closed internal systems. Hacking attacks from China and Russia were unknown and not even contemplated. We were able to expend our energies on innovation, not maddening security issues.  
jweiler021
100%
0%
jweiler021,
User Rank: Apprentice
6/12/2015 | 7:52:42 PM
Data volume is essential consideration
You never talk about the volume of data in the various locations that you cite as evidence of decreasing firewall relevance. The amount of sensitive data on mobile devices or cloud storage services is orders of magnitude less than data center servers, for which firewall protection is essential. Simply because the number of sensitive data locations that cannot be protected by firewalls is increasing, does not mean every firewall is less relevant. New protection technologies are certainly needed for these new locations, just as existing technology has some vital role in protecting other locations.
alejoseb
0%
100%
alejoseb,
User Rank: Apprentice
6/12/2015 | 6:41:21 PM
Many traditional technologies are not useful anymore
Thank you for your post. I would add that not only firewalls are increasingly irrelevant, many traditional technologies like antivirus software are not useful anymore to protect information assets. Mobile devices, cloud applications and negligent or careless users are jeopardizing this issue. However, your three points are very clear, we do not have fight  the ubiquitous modern  technologies (BYOD, cloud apps); instead, we must implement procedures that enable a secure use of these technologies in a hurry, before risky actions become habits that are not easily modifiable as you state on your second point.
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So now we are monitoring the monitor?
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20145
PUBLISHED: 2018-12-13
Eclipse Mosquitto 1.5.x before 1.5.5 allows ACL bypass: if the option per_listener_settings was set to true, and the default listener was in use, and the default listener specified an acl_file, then the acl file was being ignored.
CVE-2018-12076
PUBLISHED: 2018-12-13
A vulnerability in the UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer's MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar c...
CVE-2018-18922
PUBLISHED: 2018-12-13
add_user in AbiSoft Ticketly 1.0 allows remote attackers to create administrator accounts via an action/add_user.php POST request.
CVE-2018-18923
PUBLISHED: 2018-12-13
AbiSoft Ticketly 1.0 is affected by multiple SQL Injection vulnerabilities through the parameters name, category_id and description in action/addproject.php; kind_id, priority_id, project_id, status_id and title in action/addticket.php; and kind_id and status_id in reports.php.
CVE-2018-19039
PUBLISHED: 2018-12-13
Grafana before 4.6.5 and 5.x before 5.3.3 allows remote authenticated users to read arbitrary files by leveraging Editor or Admin permissions.