When is a firewall not enough?

When your employees have laptops, when large quantities of data can be moved around on tiny USB devices, never even touching the network, when malicious outsiders can compromise your servers through the front door, when malware has been specifically designed to be delivered via the web and to avoid classical defences, when you encourage your employees to work in a more flexible and collaborative way, sharing data and ideas or when your data or services are in the cloud.

In brief, a firewall is never enough.

The workforce is becoming ever more mobile, in fact laptops are already outselling desktop computers, and that is without taking into account PDAs, Smartphones and Netbooks. In an increasingly mobile and connected world it becomes less and less relevant to secure the infrastructure and more important to focus on the business of securing data.

Back in 1990, Bill Cheswick of Bell Labs characterised the firewall as providing a “hard crunchy shell around a soft chewy centre”. This concept separated infrastructure security from data and systems security and has been at the heart of many network security models ever since. Times have changed since the early nineties and we need to complete the slow movement away from this outdated security model.

 The advent and then the explosive growth of e-commerce meant that more and more organisations were making servers and services available to the internet at large, inviting people inside their hard crunchy shell.  Increased digitisation and centralisation of data and the Moore’s law-like growth in RAM storage capacity has made data more easily accessible and transportable, increasing the both the  probability and the opportunity for both malicious and careless activity to jeopardise important corporate digital assets.

A more recent phenomenon has been the shift of data and services into the cloud and this opens up a new set of challenges along with the opportunities. When your servers are in the cloud, then your own perimeter provides no protection, the security is often “lowest common denominator security” which undermines both confidence and compliance. Co-location of virtual instances and data with that of strangers, competitors brings a host of new challenges. How do you maintain confidence that a dormant virtual machine is free of infection? How do you manage traffic between virtual machines from a security standpoint when it may not ever go near a physical wire? How can you deal with emerging threats like malware capable of breaking out of a virtual machine to infect the host OS? What mitigation exists against insider attacks? How do you maintain an effective patching regime in a zero downtime environment?

In order for security to be effective in the cloud it needs to be lightweight, agile, enforceable, configurable and auditable at virtual machine level. Data encryption, VI-aware anti-malware, application level host IPS, application firewalls, virtualised network IPS and deep packet inspection host firewalls are key technologies for the future.

Comment on this blog