June 27, 2013

Why Data Security Pros Are Knocking Down Firewalls

Disa1Yesterday, a very interesting article in the AFCEA caught my eye: “DISA Eliminating Firewalls.” Although the title seemed provocative at first, the article itself just made me smile.

DISA gets it, they really get it.

One of the advantages of working with the father of the modern firewall is that I have an insider’s perspective on how security has evolved over the years – from the early days of Stateful Inspection firewalls, when perimeter and interdepartmental separation was the focus, to the realization that data (a company’s lifeblood) is the single most important asset to protect. Not this or that network, but the data.      

In the article, Lt. Gen. Ronnie Hawkins JR explains that network separation, while widely accepted, does not encourage business collaboration, like easily accessing and sharing content.

Here’s my favorite snippet from the article: “In the past, we’ve all been about protecting our networks—firewall here, firewall there, firewall within a service, firewall within an organization, firewalls within DISA. We’ve got to remove those and go to protecting the data.” (Emphasis is mine.) 

Yes, firewalls are important. They help solve network security problems by creating barriers that prevent unwanted network access. But they do not control data access.

That’s why I find DISA’s new approach so fascinating. It’s based on the realization that the threats have changed. Hackers want data like IPs, PINs, credentials, proprietary information, and more. And it’s very easy for them to steal data due to poor security controls or outright mismanagement.  

Only time will tell how DISA will implement their new plan. But they’re likely to make the following changes:

  1. Data will be classified in databases and file systems
  2. Role-based access that is based on entities will be mapped against the data classifications
  3. Business logic rules (i.e., “only a Lt. Gen. or above, reporting to a specific unit, may read/write this kind of data) will be created
  4. Access to content will be controlled and audited
  5. A discovery process for new data at rest will be implemented
  6. Data will be monitored for configuration, permission, and vulnerability issues

Of course, these are only a few examples coming from best practices in data security. And while each example can be easily expanded, the basic idea is pretty clear. There’s a new focus in town: data access control will increasingly trump network access control. It’s the next logical step in the evolution of data security in enabling large organizations to collaborate in a way that is both easier and more secure.

Personally I hope that the DISA’s decision becomes a guidepost for other organizations to follow.

And that’s why I salute you, DISA. A job well done.

Authors & Topics:

Share on LinkedIn


Fully agree with previous authors. DISA is actually is a number one source for our Risk Models and Security Configuration Guides.

But I have one interesting question. While large corporations and government have money to take the drastic steps toward protecting actual data, what the home users should do beyond Antivirus+firewall+applications updater? Shut the firewall down? Get rid of antivirus? I believe the vendors are still behind the curve. Clould computing is not trusted by the home PC users, so far, not to mention attached cost...
Any ideas?

I couldn't agree more. While security concerns used to be centered on network access, data access is now in the crosshairs. Not only have the threats changed, it's also quite likely that the bad guys are already inside your network, whether you know it or not. We're seeing two distinct types of attackers: 1) the malicious outsiders who want to compromise the credentials of privileged users so they can gain access to and steal sensitive data; and 2) the privileged users like Snowden who use their credentials to access and exfiltrate sensitive data. The desire to embrace cloud technologies a whole new attack vector and attack target: cloud service providers. CSPs must take precautions to secure the data they manage, and they also need to carefully monitor access since people managing the data for their customers will become big targets as well. A layered data security approach is the way to go, and it's good to see DISA's thinking start from the "inside out"(data-out), not the "outside=in" (network-in).

(Network) firewalls are dead. Long live (data) firewalls!

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.