Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:00 AM
Asaf Cidon
Asaf Cidon
Connect Directly
E-Mail vvv

Why the Firewall is Increasingly Irrelevant

It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.

Firewalls only protect what work used to be, not what it is today: a distributed collection of employees connected by mobile devices, in turn connected to the cloud. The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. The truth of the matter is that business data is rarely confined to corporate network perimeters anymore. So why are IT professionals still using this vestige of a simpler time?

Inertia has a lot to do with it. Consider the firewall’s long tenure in the enterprise: The firewall first started protecting network perimeters in the late 1980s. Couple that with the amount of sweat that IT puts into it (There’s no need to remind you of how messy firewall implementations can get.) many companies continue to see the firewall as the cornerstone of their security efforts and increase the firewall investments with the new level of security risks. But whether on-prem or next-gen, the firewall increasingly isn’t the cornerstone of security -- and it’s time for IT to take steps to expel it.

Counterpoint: Firewalls Sustain Foundation of Sound Security by Jody Brazil, Co-Founder & CEO, FireMon.

In environments in which the firewall is still considered one of the primary lines of defense, security threats increasingly have a way of creeping in. To truly dedicate focus away from the firewall and into the areas where company data actually resides, it will take a dramatic reimagining of security. That starts with tearing down the firewall.

There are two key aspects of the new security reality that makes perimeter-based security so irrelevant:

Data resides on company servers and unsecured employee devices.
Employees are increasingly doing whatever it takes to get their jobs done quickly and conveniently. Often, that means they’re sharing and syncing company data on a cloud like Dropbox or Office 365 from their corporate computers and personal mobile phones or tablets. IT, meanwhile, remains unaware: A recent Ponemon survey found that 81 percent of IT organizations don’t know how much sensitive data resides on mobile devices and the cloud. These devices and cloud sharing applications do not necessarily even cross the corporate network at all and use available public hotspots and high-speed cellular data plans.

Your company data ends up everywhere.
Extrapolate that habit to all everyone who works with your company—from in-house staff, contractors, suppliers, partners, clients—and it’s clear that data is ending up everywhere. These people need help to secure the data. Worse, when such habits are playing out in the shadows, you can bet that the extra security measures you need (or require) aren’t being implemented.

That, in turn, means that data today is sitting unencrypted—and totally vulnerable—on employee private devices, which hold the same amount of company data that used to be on the network. But the firewall is not protecting them.

Businesses—and enterprises are especially guilty of this—are building a higher and higher wall around their network. However, the data is no longer confined to that network. Instead, reliance on the firewall has increasingly become a noxious threat of its own.

Separating the Truth from the Firewall
Here are three things you can do to transcend the firewall and really protect your organization.

1. Look beyond advances in legacy systems. Even a next-gen firewall with deep-packet inspection and cloud tokenization won’t secure sensitive data uploaded and downloaded into the consumer cloud by employees’ devices. Yes, the latest batch of firewalls are application-aware, so they may prevent company-provisioned devices from accessing certain unapproved cloud applications. But given that employees often choose productivity over regulations, they can still easily access these “must-have” productivity applications using their private devices, either from the outside or by using unregulated cellular data plans.

To protect data as it disperses across the consumer cloud and end-user devices, IT needs a solution that works with the consumer cloud, not against or despite it. The solution should add strong administrative insight and control without disrupting the user experience.

2. Do not add complexity. Another common solution is to enable an enterprise-grade alternative to forbidden consumer-grade applications -- or else to severely restrict the consumer app’s usage. This also rarely works. The reason so many professionals started using Dropbox in the first place is that it lets them get work done quickly; if your add-on security or alternative solution is too onerous, or disrupts the best parts of the cloud, people will find less secure workarounds. We’re past the phase where you force users to change habits, so the challenge instead becomes figuring out how to enable use of these applications in a way that adequately protects sensitive company data.

3. Controls, controls, controls. Security must follow files wherever they go. End-to-end encryption that extends to devices will seal the potential compliance gaps opened by file sync and remote work. A centralized dashboard that lets you see activity within your entire organization will help you observe unusual patterns. You should also be able to block access to data as needed, even for devices that are offline, and remove access to encrypted files.

All of this must happen in the consumer cloud. Server-side encryption isn’t sufficient, nor are enterprise cloud apps with which regular workers refuse to engage. You need to secure company data no matter where it resides. Otherwise, you end up guarding a wall around an empty shell, while your sensitive data remains exposed to all kinds of variables. That, to put it bluntly, is the opposite of security.


Asaf Cidon is Vice President, Content Security Services, at Barracuda Networks. In this role, he is one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spearphishing and cyber fraud defense. Barracuda Sentinel utilizes artificial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
6/23/2015 | 7:28:41 AM
Don't denigrate the firewall

Firewalls are still a critical part of a company's defences, and dismissing them as a relic from a bygone era is unhelpful.  Yes, you need to consider the modern challenges of cloud and mobile working, but not at the expense of your firewalls.  Issues such as company data on personal devices and dropbox need to be addressed in addition to securing the network with firewalls, not instead of.  

I'm also tired of hearing people say that we should shrug our shoulders and accept that employees are going to keep company data on insecure personal devices regardless of company policies and so forth. Simply caving to the whims of users who don't care about security and expecting security professionals to work around them and find solutions is not good for anyone.  Give your security policies some backbone and enforce them.  Give your employees decent IT, at least as good as what they have at home, and make your security policies and guidance sensible and proportionate.  Make mobile device management good enough to secure your data but not intrusive or onerous.  If you do this there is no reason not to expect your users to work remotely in a sensible and secure manner.

Know how the cloud services you use secure your data.  Know what they've got that's yours, where it is, how it is encrypted, backed up, how they'll handle a transfer if you change or quit their service, and so on.

None of this negates the need for firewalls.  The firewall on its own won't keep you safe, but it's a key part of your defence in depth and you'd be foolish not to give it its due.

User Rank: Apprentice
6/17/2015 | 12:54:26 AM
It will take a while
I can't picture a real data center functioning without firewalls. As messy as they may be, network firewalls create restricted enclaves to discourage unauthorized access while permitting relatively freer access between enclave components. Server vulnerabilities will always be with us, and firewalls help mitigate them either temporarily or permanently.

A big chunk of the next generation IT workers seems to have a relaxed attitude regarding PII and sensitive information. For example, many I talk to think that keeping SSNs private is a silly and antiquated notion. I have little doubt that we will be seeing more high profile data breaches due to just plain old lack of concern and/or carelessness.

Since data is quite often an organization's most valuable asset, it should be treated as such.   Hence it should be assumed that routinely transmitting bulk data to storage systems not under direct control, and mobile devices, will only eventually compromise an organization's prime assets for the sake of convenience.

This stuff just isn't fun. My career dates back to pre-internet days when we were rolling out applications on closed internal systems. Hacking attacks from China and Russia were unknown and not even contemplated. We were able to expend our energies on innovation, not maddening security issues.  
User Rank: Apprentice
6/12/2015 | 7:52:42 PM
Data volume is essential consideration
You never talk about the volume of data in the various locations that you cite as evidence of decreasing firewall relevance. The amount of sensitive data on mobile devices or cloud storage services is orders of magnitude less than data center servers, for which firewall protection is essential. Simply because the number of sensitive data locations that cannot be protected by firewalls is increasing, does not mean every firewall is less relevant. New protection technologies are certainly needed for these new locations, just as existing technology has some vital role in protecting other locations.
User Rank: Apprentice
6/12/2015 | 6:41:21 PM
Many traditional technologies are not useful anymore
Thank you for your post. I would add that not only firewalls are increasingly irrelevant, many traditional technologies like antivirus software are not useful anymore to protect information assets. Mobile devices, cloud applications and negligent or careless users are jeopardizing this issue. However, your three points are very clear, we do not have fight  the ubiquitous modern  technologies (BYOD, cloud apps); instead, we must implement procedures that enable a secure use of these technologies in a hurry, before risky actions become habits that are not easily modifiable as you state on your second point.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...