Skip to main content

The Best Firewall? People

A firewall.  An aggressive connotation. A wall, made of bricks and cement, literally on fire.  As far as protection goes, that is pretty good.  Firewalls in a computing and network sense have been around a while, gaining popularity in the late 1980's when inter-networked computers and later the full blown internet came to the fore.

The main crux of the firewall is prevent network traffic from reaching a destination based on a set of rules.  Pretty simple.  One side of the firewall is a trusted 'safe' area (normally known as the private network) and the other side of the firewall will be untrusted or the public network.  Keeping the two separate makes sense and allows for greater control over network traffic and it's data.  So firewalls are generally placed at the outer most part of the private network, often with a de-militarized-zone (DMZ) in between, which acts like a no-man's land where both public and private traffic can enter.

As security has gained focus over the last ten years or so, a few things altered.  Security moved not only from focusing on potentially 'evil' public traffic and 'safe' private traffic, but to focus on keeping data secure from all sorts of angels.  Insider threats.  Proliferation of virus's and malware within the private network.  Access control levels on data to improve confidentiality.  Encryption to prevent eaves dropping and more secure storage to upkeep data integrity.  This has lead to many different levels or 'rings' of security.

Firewalls on the outer-most part of the private network, intrusion detection and prevention systems, localised patch and virus management on individual machines, authentication and authorisation to restrict access and security policies and procedures to manage networks and data effectively.  All part of a complex ring of security.

The term 'ring of security' was used mainly when discussing operating system processing.  The rings simply provide levels of process authorisation to keep potentially unsafe operations affecting the core kernel of the OS.  Gates between the rings allowed processes to be managed through neatly defined routes.  Today, it can also reference the general security approach for an organisation.

Security, can and should cover a multitude of technologies and processes.  I guess this can be exemplified by the the number and variation of topics within many security qualifications such as the CISSP or CISA.

One of the key angels of security management I think is often missed is that of physical and indeed human security.  All very well having 128 bit encryption on your hard disk, but if your laptop is left unattended in a meeting room without swipe card access it's not particularly secure is it?

There are many common security pitfalls that are created by people, not tooling:
  • Security badged not been warn / checked.  Why do you have one round your neck?
  • Tail-gating - how many times have you held a proximity swipe door open for someone....
  • Shared desktops - colleague 'just needs to check something' or check their email.
  • Not logging out.  Turning the monitor off isn't quite the same.
  • Everyone knows a story about passwords.  Weak and easy to break.  Under the coffee mat.  Recycled with a new number on the end...
  • USB sticks / netbooks / portable drives, left unaccompanied.
  • Printed documents not cleared down from printers - clear desk policy.
  • Water cooler chat - social engineering for information, processes, passwords, locations is easier than you think.

All of which can easily be managed and avoided by first the definition of some basic security best practice and secondly through internal awareness and 'marketing'.  Making non-IT users aware of the importance of data security is key and how it not only affects the IT geeks, but the actual profitability, usefulness and general success of business units.  Awareness should also be followed up by readily available security resources - consistent internal documentation is a start - training, websites and updates is ideal.

The concept of using humans as firewalls is not new, but technology can only protect data so far.  Human intervention and judgement is now just as important as security moves into the main stream of effective business management.

You wouldn't trust your car to drive itself, so why let only technology look after your data?  


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…