Debate over wisdom of firewalls, passwords and SSL — plus, Anonymous strikes again
Some older assumptions about security — such as firewalls are needed for perimeter defense, and we’ll all make do with reusable passwords and browser-based SSL connections provide great security — were once again ripped apart as we heard this week from several individuals who say they simply don’t agree.
“I don’t think firewalls are necessary. They prohibit work from being accomplished,” was one remark from Nathan McBride, executive director of IT at Amag Pharmaceuticals, in describing how the company has migrated off an older Microsoft-based network to one based on both application cloud services and cloud-based single-sign-on for about 240 employees. His story provoked some blistering comments online from Network World readers. Here’s a selection from a few:
“Firewalls. This comment can only come from an IT manager. Really? Do you know what a firewall does? …”
“I almost LOLd! Wow. I’d like to see them pass a PCI scan with no firewalls. Cloud service providers use firewalls, too.”
“How dumb does it get? … let’s hire some clueless jerk to make it someone else’s responsibility …”
“Say What? … And what company doesn’t put a firewall between the Internet and their computers, whether PCs or servers? I’m not impressed.”
MORE ON SECURITY: Tips and tricks for protecting Android devices
All of this just shows that the debate over whether perimeter firewalls are worth it anymore is still fierce (and yes, the PCI standard for payment-card calls for a lot of firewalls). You may recall that it was the Jericho Forum with its group of IT professionals about five years ago that began pounding the drum on the firewall topic, saying for perimeter defense, a firewall is largely an outmoded idea and can impede e-commerce. The debate is still intense about it.
The Jericho Forum has now taken up the topic of identity management, saying continuing reliance on reusable passwords in this era of cloud computing is totally misguided, and a stronger trust framework needs to unfold for large-scale Internet use.
That’s what the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative from the Obama administration is trying to coordinate, with the high-tech industry taking the lead. We caught up this week with NSTIC Director Jeremy Grant, who explained what the federal government has in mind so far to foster more secure alternatives to passwords in a new “identity ecosystem.” Don Thibeau, chairman of the Open Identity Exchange (OIX) –the members of which, including Google, want to participate in the NTSIC process — also told us watch for some innovative pilot projects coordinated among Google, Microsoft and AOL for secure email later this fall.
And finally, when it comes to doubting the usefulness of long-used technologies, this week we heard about a team of researchers pointing out that SSL, the encryption scheme that protects many online transactions, isn’t really that trustworthy because the chain of trust that’s established via a browser can be broken when phony certificates are issued. Researchers from Carnegie Mellon University think there’s a better mousetrap that can be made through their ideas proposed in Perspectives; a second idea, called Convergence, is being worked on by Moxie Marlinspike, a fellow at the Institute for Disruptive Studies, a lab devoted to privacy, anonymity and computer security.