WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

The beginning of the end for firewalls?

By Barry Shteiman.

Recently a very interesting article on the Armed Forces Communications and Electronics Association website caught my eye: ‘DISA Eliminating Firewalls.’

Although the title seemed provocative at first, the article itself just made me smile.

DISA gets it, it really gets it.

One of the advantages of working with the father of the modern firewall (Shlomo Kramer) is that I have an insider’s perspective on how security has evolved over the years: from the early days of Stateful Inspection firewalls, when perimeter and interdepartmental separation was the focus, to the realization that data (a company’s lifeblood) is the single most important asset to protect. Not this or that network, but the data.

In the AFCEA article, Lt. Gen. Ronnie Hawkins JR explains that network separation, while widely accepted, does not encourage business collaboration, such as easily accessing and sharing content.

Here’s my favourite snippet from the article: “In the past, we’ve all been about protecting our networks — firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data.”

Yes, firewalls are important. They help solve network security problems by creating barriers that prevent unwanted network access. But they do not control data access.

That’s why I find the Defense Information Systems Agency’s (DISA’s) new approach so fascinating. It’s based on the realization that the threats have changed. Hackers want data like IPs, PINs, credentials, proprietary information, and more. And it’s very easy for them to steal data due to poor security controls or outright mismanagement.

Only time will tell how DISA will implement the new plan. But the Agency is likely to make the following changes:

  • Data will be classified in databases and file systems;
  • Role-based access that is based on entities will be mapped against the data classifications;
  • Business logic rules (i.e., “only a Lt. Gen. or above, reporting to a specific unit, may read/write this kind of data) will be created;
  • Access to content will be controlled and audited;
  • A discovery process for new data at rest will be implemented;
  • Data will be monitored for configuration, permission, and vulnerability issues.

Of course, these are only a few examples coming from best practices in data security. And while each example can be easily expanded, the basic idea is pretty clear. There’s a new focus in town: data access control will increasingly trump network access control. It’s the next logical step in the evolution of data security in enabling large organizations to collaborate in a way that is both easier and more secure.

Personally I hope that the DISA’s decision becomes a guidepost for other organizations to follow.

And that’s why I salute you, DISA. A job well done.

Author: Barry Shteiman is Imperva's Senior Security Strategist.

•Date: 5th July 2013 • US/World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.
   

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here