Firewalls only protect what work used to be, not what it is today: a distributed collection of employees connected by mobile devices, in turn connected to the cloud. The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. The truth of the matter is that business data is rarely confined to corporate network perimeters anymore. So why are IT professionals still using this vestige of a simpler time?
Inertia has a lot to do with it. Consider the firewall’s long tenure in the enterprise: The firewall first started protecting network perimeters in the late 1980s. Couple that with the amount of sweat that IT puts into it (There’s no need to remind you of how messy firewall implementations can get.) many companies continue to see the firewall as the cornerstone of their security efforts and increase the firewall investments with the new level of security risks. But whether on-prem or next-gen, the firewall increasingly isn’t the cornerstone of security -- and it’s time for IT to take steps to expel it.
Counterpoint: Firewalls Sustain Foundation of Sound Security by Jody Brazil, Co-Founder & CEO, FireMon.
In environments in which the firewall is still considered one of the primary lines of defense, security threats increasingly have a way of creeping in. To truly dedicate focus away from the firewall and into the areas where company data actually resides, it will take a dramatic reimagining of security. That starts with tearing down the firewall.
There are two key aspects of the new security reality that makes perimeter-based security so irrelevant:
Data resides on company servers and unsecured employee devices.
Employees are increasingly doing whatever it takes to get their jobs done quickly and conveniently. Often, that means they’re sharing and syncing company data on a cloud like Dropbox or Office 365 from their corporate computers and personal mobile phones or tablets. IT, meanwhile, remains unaware: A recent Ponemon survey found that 81 percent of IT organizations don’t know how much sensitive data resides on mobile devices and the cloud. These devices and cloud sharing applications do not necessarily even cross the corporate network at all and use available public hotspots and high-speed cellular data plans.
Your company data ends up everywhere.
Extrapolate that habit to all everyone who works with your company—from in-house staff, contractors, suppliers, partners, clients—and it’s clear that data is ending up everywhere. These people need help to secure the data. Worse, when such habits are playing out in the shadows, you can bet that the extra security measures you need (or require) aren’t being implemented.
That, in turn, means that data today is sitting unencrypted—and totally vulnerable—on employee private devices, which hold the same amount of company data that used to be on the network. But the firewall is not protecting them.
Businesses—and enterprises are especially guilty of this—are building a higher and higher wall around their network. However, the data is no longer confined to that network. Instead, reliance on the firewall has increasingly become a noxious threat of its own.
Separating the Truth from the Firewall
Here are three things you can do to transcend the firewall and really protect your organization.
1. Look beyond advances in legacy systems. Even a next-gen firewall with deep-packet inspection and cloud tokenization won’t secure sensitive data uploaded and downloaded into the consumer cloud by employees’ devices. Yes, the latest batch of firewalls are application-aware, so they may prevent company-provisioned devices from accessing certain unapproved cloud applications. But given that employees often choose productivity over regulations, they can still easily access these “must-have” productivity applications using their private devices, either from the outside or by using unregulated cellular data plans.
To protect data as it disperses across the consumer cloud and end-user devices, IT needs a solution that works with the consumer cloud, not against or despite it. The solution should add strong administrative insight and control without disrupting the user experience.
2. Do not add complexity. Another common solution is to enable an enterprise-grade alternative to forbidden consumer-grade applications -- or else to severely restrict the consumer app’s usage. This also rarely works. The reason so many professionals started using Dropbox in the first place is that it lets them get work done quickly; if your add-on security or alternative solution is too onerous, or disrupts the best parts of the cloud, people will find less secure workarounds. We’re past the phase where you force users to change habits, so the challenge instead becomes figuring out how to enable use of these applications in a way that adequately protects sensitive company data.
3. Controls, controls, controls. Security must follow files wherever they go. End-to-end encryption that extends to devices will seal the potential compliance gaps opened by file sync and remote work. A centralized dashboard that lets you see activity within your entire organization will help you observe unusual patterns. You should also be able to block access to data as needed, even for devices that are offline, and remove access to encrypted files.
All of this must happen in the consumer cloud. Server-side encryption isn’t sufficient, nor are enterprise cloud apps with which regular workers refuse to engage. You need to secure company data no matter where it resides. Otherwise, you end up guarding a wall around an empty shell, while your sensitive data remains exposed to all kinds of variables. That, to put it bluntly, is the opposite of security.