There was a lot of talk about firewalls at the Web 2.0: Practical appplications for business benefit conference this week.
Luis Suarez said that there was no point in organisations using their firewalls to block applications such as facebook and instant messaging. People bring their mobile phones to work which gives them access to that stuff anyway. Employee are no longer dependent on the devices provided by their organisations.
Euan Semple said that firewalls give an illusion of protection, but information within the firewall is only a cut and paste away from the world wide web.
John Meakin, head of information security at Standard Chartered bank said that firewalls are increasingly failing to do the job that they are asked to do. They were designed to shield an organisation's entire network. Your firewall is tasked with protecting:
- all of your informations systems
- all of the servers that the systems sit on
- all of the devices that the systems run on
- all of the information that the systems hold
As time has gone on this task has increased in complexity. Organisations have massively increased both the number of channels through which they connect to the outside world, and the volume and variety of information they exchange through those channels.
This increased complexity means that people in information secuity roles like John's are forever having to patch and mend weaknesess in their firewall. John says that he feels like the dutch boy with the thumb in his dyke. It was a powerful image: such fragile protection against the might of the sea.
For John the answer is to give individual systems/ servers/ devices/information objects their own protection, through encryption. The challenge with encryption is getting users to apply it. The technology is freely available to the end user already (Microsoft issue it as standard in Vista) but there is no user friendly interface to it.
Standard Chartered have started an ambitious project to reduce reliance on the firewall by protecting the information itself rather than the network it is housed upon. They are building a user friendly encryption interface which will prompt people when they save or communicate information to decide:
- whether or not it needs encryption protection,
- whether or not they want to prevent recipients forwarding it on, printing it, copying it, or cutting and pasting from it.
If Standard Chartered get this right, and if their users buy into it (big 'ifs'), then they will be able to worry much less about any weaknesses in their firewall. Even if secret information did find its way out onto the web, the only people able to access it would be colleagues with the encryption keys.
James Lappin
Comments