Andre Durand has two great, short posts on firewalls
So where do I deploy my firewall now?
Andre previously blogged
I was in a management meeting this morning, and we were talking about how a number of clients are asking Ping Identity to do more and more of the management surrounding their federation initiatives and the entire notion that 'security is going cross-company, and what does that really mean' struck me in a way it never had before.
The fact is, as enterprises outsource everything possible that's not core or strategic, they're going to need ways to control, manage and secure them. That's where identity and the notions of identity federation come in, and I'm not talking just single sign-on, I'm talking 'internet-scale security'.
In a sense, the entire notion of a "firewall" as defining what's protected from the 'outside' is simply outmoded. There is no 'them' and 'us'. There is only the difference in how you define and control 'us'. Companies need ways to maintain security, but they are drawing the lines around what they need to protect all over the internet. The NEW security company will be the one that helps them do that.
This more less captures in a few short paragraphs the essence of what I explored on a few posts on Decentralization and Good Enough Security. That series yielded a neat meme:
All in one must yield to the distributed many POST: Decentralization and "Good Enough" Security, By Gunnar Peterson Great post. Centralized security in a federated world: I love it! That, in a nutshell is why the all-in-one Leviathan must yield to the distributed SysAdmin force.
So its not so much that firewalls are dead or useless, but they do not deal with most threats, and in general do not represent the best investment for your security dollars.
This idea is the premise of my own book on digital identity: the old centralized models that require everything behind a firewall no longer work and good identity infrastructure is crucial to resolving that dilemma. I’m writing specifically about idenity in the computer-system sense, but there are close parallels to the global world as well. Note that if you’ve read my book you’ll understand that this is a far cry from a call to implant RFID chips in everything that moves.
BTW, Phil's book is excellent, and I recommend you buy a copy. I will blog a review shortly.
Disappearing perimeter and new applications - we're screwed This post and resulting discussion from Gunnar Peterson provide a lot of food for thought. He uses a decentralization vs. centralization metaphor to make the point that we are inextricably moving toward distributed data. SOA and web services guarantee that. That means the traditional, centralize and apply draconian policies of many security practitioners are no longer valid. Oh boy. If you aren't following me, maybe this quote from the post will help: "The perimeter in an SOA is the document, not the network. The security model is defined by the security constructs in the document, not the network firewall." That kind of screws everything up, no? Gunner goes into a bit more detail in a follow-up post (here) - but understanding the concept is critical. This is the case for why we need to separate out infrastructure security and data/information security. Right here. Read it and understand it.
If your security model does not mirror where the business and technology is going then it's broken. Simple as that. The time for pretending ivory tower security with flaming firewalls on visio drawings and thousands of open ports and exceptions is security is pretty much over. Your business is a not a castle behind a moat, it is a node in the midst of many to many relationships. Don't be afraid of it, design for this reality.