Security – more than just a stateful firewall!
Security is hot. It has always been. It will always be. If you look at IT-related spending security budget allocations usually tend to be among the highest. However, having spent nearly 15 years directly and indirectly in various security-related roles, I’ve observed it to be among the most misunderstood areas of technology as well one with the most number of preconceived notions.Interestingly, many organizations start taking their security requirements more seriously when they’ve been exposed to an attack of sorts. It could be a virus attack, denial-of-service, data compromise or theft. Though never an afterthought, security considerations are given more prominence after exposure to risk. Sometime back, while speaking at a Roadshow, I ran an impromptu survey with the attending audience in three cities before beginning my session. These were a random cross-section of customers from different verticals, varying business sizes and mostly those making business decisions. They were asked to provide a true/false response to the questions below. Some words were purposely bolded, to add a blind and make the responder think:- My organization is completely secure because I have a stateful firewall- Most security threats originate from outside the network and can be prevented by installing a firewall at every ingress path– Installing an self-updating anti-virus package on laptops is sufficient to prevent internal security breaches- Securing my IP data network, helps provide Secure voice-over-IP- Mobile phones cannot transmit viruses as they have to pass through service provider firewallsAny guesses what a majority of respondents answered? Interestingly, the bolded words which were incorporated as placebos threw most people off-track. Everybody had a hearty laugh when they saw the results. With so many organizations (including Cisco) spending millions of marketing dollars over a decade or more, creating security awareness, one would think people get what pervasive security is all about. They don’t, at least not yet. Organic education takes time, as opposed to threat-based education that provides shock value. You may see continued spending of these millions of marketing dollars over the next decade…:-)As Jimmy Ray Purser states in one of his earlier videos for the Cisco Developer contest, calling application developers to think secure,”security is a lot more than just a firewall”. As always, Jimmy Ray stimulates grey cells as only he can.The truth is -the nature, source and complexity of threats is evolving as we adopt different media for communication and bring different types of devices into the”network”. Today, in an IP-based environment, where mobile phones, microwave owens and video cameras are all different network-addressable devices jostling for attention, anything could be a source of threat, and should be treated accordingly. And there are other extremes. These are the people who just don’t trust anything. Here’s an anecdote. For most of us, AES may be inherently secure and widely adopted. However, a number of institutions are mandated not to believe it. They still have their own proprietary encryption algorithms, which they believe provide superior security. It is interesting to recollect that one of the reasons Cisco considered opening their routers, was a Eastern European government outfit requesting permission to port their own security algorithm on the Integrated Services Router instead of the standards-based ones that Cisco supports by default. They didn’t trust AES.Developers planning applications should think security from day one and not just application performance or functionality. Security shouldn’t be an afterthought. Network architects designing network infrastructure security should cross over and consider application security as well. Innovation is not just doing new things. Many times it is connecting the dots and seeing the bigger picture. Typically, we make assumptions about what we don’t know. Our assumptions are only right 50% of the time. Would you let your business be secure half the time?