BYOD Passwords Hacking Cloud Compliance Reviews Privacy

Current Filter: Security>>>>>Masterclass>

PREVIOUS

Filtered Articles:2 of 16   Current Article ID:6071

NEXT



Protecting applications from Firewall failure

Editorial Type: Masterclass     Date: 11-2015    Views: 2118      







How to protect applications, in the context of changing network access and a porous perimeter - Certes Networks provides the strategy

The single common security issue in the continuing wave of data breaches around the world has been the over-reliance on firewall-based enterprise perimeters. For far too long, firewalls have been installed and abandoned, even with the advent of Next-Gen.

For decades, classic IT security architectures have been built using the assumption that firewalls can be relied upon to keep out unauthorised users and that internal networks and their users can be considered as trusted and safe. However, as breach after breach continues to demonstrate, this notion is obsolete and dangerous. It can lull everyone into a false sense of security, giving rise to the inevitable finger pointing.

WHEN FIREWALLS FAIL
Firewalls are too rigid and infrastructure-bound to accommodate the fluid, virtualised networking and application sharing that we now expect: and then there is the influx of devices into the IT mix. Modern enterprise borders are essentially porous. Applications are routinely shared with employees, partners, contractors, supply chain members and others who are external to the firewalled perimeter.

Forming part of the frictionless-enterprise, these external parties routinely access resource planning, accounting, inventory and communications applications, conducting self-service of work orders, billing, financial transactions, patient record management and much more. Similarly, new devices including personal devices are increasingly utilised for access to corporate applications inside and outside the perimeter. Bring Your Own Device (BYOD) is a grudgingly accepted practice that has expanded beyond smartphones and tablets into a multiplicity of things.

A firewall alone cannot properly police and secure all of these interactions, device and application flows. The performance requirements are too steep and the application flows too fluid for a single infrastructure element - the firewall - to keep pace. This, of course, is no secret, and firewalls are a popular attack vector that's repeatedly exploited. The vector is characterised as follows:

• An attacker compromises employee, contractor or other authorised user's credentials
• The attacker gains firewall access using the credential
• Once inside the enterprise perimeter, the firewall is unable to block the attacker's lateral (application to application) movement.

Firewalls, though, are not dead, and they remain an essential component of the security architecture. The question facing security architects centres instead on how to design borderless, software-defined security around the new modes of application sharing and user behaviour that firewalls cannot address.

NO TRUST NETWORKING
Thankfully, several strategies over the last decade have offered a useful model for rethinking the security architecture. The first is to adopt a no-trust philosophy for designing networks and security postures, meaning that:

• No network is considered safe or trusted, inside or outside the perimeter
• No user is to be fully trusted
• No device to be fully trusted
• Assume that a breach will happen and that the firewall will be circumvented
• Plan to contain that breach and prevent attackers from getting to your most sensitive applications.

Once accepted, these assumptions clearly direct the next steps in rethinking the security architecture:

• Networks and applications should be logically segmented to isolate sensitive applications wherever they go
• Access controls must be based on user roles and enforced in real-time on all users, on all networks
• Encryption of sensitive applications is obligatory, even when those applications exist on internal networks.

Using this approach, an enterprise can establish effective breach containment when the inevitable happens. The resulting security architecture is designed around logical, end-to-end application crypto-segments that provide the same level of security, regardless of where an application flows. Even if the user is compromised, the attacker cannot move laterally from application to application and gain access to sensitive data.

Like this article? Click here to get the Newsletter and Magazine Free!

Email The Editor!         OR         Forward ArticleGo Top


PREVIOUS

                    


NEXT