Establishing Digital Trust: Don't Sacrifice Security for Convenience
That's the question some network administrators and security managershave started asking.
With an increasing number of workers going mobile and taking theirlaptops, smart phones and handhelds on the road with them, the perimeterjust isn't the solid wall that it used to be. Add to that the number ofconsultants and partners who access the corporate network, and theperimeter has become exceedingly porous.
So without a solid perimeter to protect, where does the firewall fit intoa company's security arsenal? For years, IT managers protected thenetwork with anti-virus and intrusion detection software and a strongfirewall. Are those days over? If there's no one perimeter to stand guardover, does the firewall still factor into a strong enterprise securityplan?https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Yes, it does, says Paul Stamp, a senior analyst with Cambridge-basedForrester Research, an industry analyst firm. But how the firewall isused, and where it's going to be used, is morphing into a whole newanimal.
''I think the firewall, as we used to know it, is becoming less and lessuseful,'' says Stamp. ''As a principle level of defense, there's mostdefinitely a shift away from that. A lot of corporate people are sayingthe firewall just isn't enough anymore. It's just not enough to keep thecompany safe.''
However, just because the firewall doesn't fit into the same securityniche that it always has doesn't mean it's not finding a new place.
''The level of sophistication of attackers these days goes way beyondwhat a traditional firewall is going to be able to stop. The way we dobusiness has changed a lot since the invention of the firewall, so theway we use the firewall has to change,'' adds Stamp. ''The old model ofputting the firewall at the perimeter has become defunct... You put themcloser to the assets you need to protect. You end up having lots offirewalls.
''Instead of one big firewall, I might potentially have 5,000firewalls,'' he notes. ''This is the evolution of the firewall.''
Building an Army
What's happening, analysts agree, is that the firewall isn't going to beretired into IT history any time soon. Its role in enterprise securitysimply is shifting. Without a strong perimeter to protect, having a mainfirewall is less efficient. There are too many ways around it.
What is needed to today is an army of firewalls.
Don't think about it as one company network that needs to be protected,says Scott Crawford, a senior analyst with Enterprise ManagementAssociates, an industry analyst firm based in Boulder, Colo. Focus onprotecting the information -- wherever it is.
''Perimeter defenses will not go away. They're transitioning but notgoing away,'' says Crawford. ''There will always be a need to define aboundary between a trusted network and an untrusted network. The questionbecomes what's the point of access and what's the method of access? Andhow much can you trust individual users on the network?''
Crawford says it comes down to securing the endpoint, whether it be adesktop, laptop, PDA or VPN connection.
''What we're really doing is taking security policy enforcement that wasmost commonly associated with the firewall and putting it on the endpointitself or at the point of connection. We're also enforcing the type anddegree of access that systems have with each other... Where we're puttingthe firewall has changed and security policy enforcement has changed.Security policy management has become more of the order of the day andthe firewall has become a tool of enforcement.''
Eric Maiwald, a senior analyst at the Burton Group, an analyst firm basedin Midvale, Utah, says IT needs to make sure that it has a component ofthe perimeter on all mobile devices.
''If I have a laptop with sensitive data or the ability to get back intoour data center, or if I'm traveling with that and have it at hot spotsand in hotel rooms, I need to protect that system,'' explains Maiwald.''I have to provide protection to the information that is accessiblethrough that system... We move the protection out to where it's mostneeded or where the perimeter actually is.
''In some cases the perimeter may be traveling around,'' he adds. ''Theperimeter of the organization still exists. We're not depending entirelyon one device, the firewall, for all our perimeter protection. Thatdoesn't mean the firewall itself is a useless device. We're just notgoing to depend upon it as the only perimeter device and we probablynever should have.''
Gregg Mastoras, senior security analyst at Sophos, Inc., an anti-virusand anti-spam company with U.S. headquarters in Lynnfield, Mass., saysit's important for IT managers to rethink how they use the firewall andhow it fits into their security arsenal... and the sooner the better.
''At this point, the network has never been more vulnerable because ofmobile workers,'' says Mastoras. ''All these mobile devices give youexcellent access anywhere, anytime, but it also gives excellent access torisks... The perimeter has to be rethought.''
Mastoras agrees with Crawford, adding that IT needs to build a ''shell ofsecurity'' around the endpoints.
''True security has to sit at the perimeter and at the desktop,'' hesays. ''Any device has to be fully protected. Anti-virus, anti-spam andpersonal firewalls all have to sit there to create a shell of securityfor the endpoint... There are all these new pathways into the network.We're in a stage of proliferation. That's not going to slow down sosecurity has to be a fast follower.
''The firewall still has its use, even at the perimeter. Just like youneed anti-virus at the perimeter,'' he adds. ''But the notion that that'sall you need is dead.''