Computerworld - The Internet front door to almost every bank and financial services company in the world is guarded by two sets of firewalls defining a DMZ. Nearly every e-commerce site sits in a similar DMZ in what has become the de facto standard in Web security architecture. According to Sun Microsystems, "In today's tumultuous times, having a sound firewall/DMZ environment is your first line of defense against external threats." But I would argue that guarding the perimeter is lulling organizations into a false sense of security that results in ignoring the implementation of other security mechanisms in their applications and databases.
In contrast, the Internet front door to MIT doesn't have a DMZ and pretty much doesn't even have a firewall. Universities begin with an assumption that everything is open, but these large organizations are arguably no more vulnerable to external threats than banks and financial institutions, and perhaps less vulnerable to internal threats.
A key reason for reduced vulnerability is the approach many universities take to creating authorization and application-level security in the absence of a secure perimeter. For more than a decade, universities have been implementing homegrown systems and working with vendors to ensure that their products don't make assumptions about working behind a firewall. We look for systems to incorporate application-level security based on verifiable user identities -- an approach that continues to gain ground as organizations realize that firewalls alone don't provide the level of security they need in today's world.
In your own organization, do you pass around unencrypted passwords and data inside the firewall because you know you're behind the firewall? Are your application servers available to any request from anywhere (because they are behind the firewall) or only to those Web servers that need the applications they implement? Is everyone with access to applications allowed full access, or is each person's role (customer, authorizer, accounts payable clerk) part of the authorization protocol to applications? These are some of the issues we must face once we realize that firewalls don't really provide full application security. After all, once the firewall is breached, the outsider is inside, so we can't treat all insiders alike.
As a result, there is a growing interest in standardizing approaches to secure authorization and application access. Many security architectures at universities (and some corporations) are based on the Kerberos protocol and software (http://web.mit.edu/kerberos), first developed at MIT in the 1980s and still going strong. In fact, Kerberos is in the background of operating systems from Apple, Sun and Microsoft, but it's not yet fully implemented
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts