Defence in depth is a proven strategy to guard against data breaches, but it works best with a unified, flexible chain of command, says a leading Internet security firm.
Kellman Meghu, head of security engineering at Check Point Software Technologies Ltd. for Canada and the central U.S., told reporters and analysts in Toronto this week that it’s important for organziations to create cohesive high-level security policies.
“Defence in depth is a great idea,” he says, “until the components that you’re using don’t all talk to each other.”
Check Point offers a wide range of integrated security software and hardware appliances. By unifying them through a single policy, Meghu says, Check Point ensures that an organization can more effectively prevent data breaches whenever something changes in their network architecture.
“If you look historically at security, the policy starts at a high level, but then by the time it actually gets deployed it somehow becomes baked into the network and very dependent on the network architecture. So, the challenge there is if the network architecture changes or the requirements change the security policy has to adjust with it.”
In the past, he says, organizations would be forced to work closely with their security teams to make these changes. Now, he says, Check Point has automated the process to a greater extent, which he calls an “agile” approach to security.
“With agile security we’re creating a policy at a high level that is independent of the network, which means when they deploy a new application the security is automatically applied to it.”
Without a single policy, he says, defence in depth “starts to become very complicated because you have to create manual processes [so] that, for example, the people running the application inspection and the URL filtering are talking to each other to make sure they’re not creating holes within each other’s policies.”
But Ramon Krikken, a Gartner Inc.
security analyst, says that consolidation could potentially “introduce a different kind of risk.”
“If we instead have one central place where everything is controlled from, that becomes a risk aggregation point,” he says.
“To some extent, yes, you create more unity in the sense that if I turn on defence mechanism X it means that we’re automatically going to instrument the anti-virus to do this, the URL filtering to do that, and the intrusion-detection system to do some other thing. But then again, if you misconfigure central policy X then you might turn off a defence in all of those three layers at one time.”
He does agree, however, that traditional models have been guilty of creating policies that introduce unnecessary complexity into the system further down the chain.
Meghu says in the past, companies would set a certain high-level policy, for example, that “marketing is allowed access to Facebook to post information about the company.”
“Unfortunately, by the time it got down to somebody actually deploying it,” he says, “it turned into, ‘this block of IPs in this network is allowed to access this group of Facebook servers over port 80.’ Well, actually, port 80 just kind of opened up everything and the Facebook servers are so vast that you could never list them all.”
“That didn’t work at all,” agrees Krikken. “I mean, I’ve tried in the past. It was horrific.”
By contrast, Meghu says, the model Check Point uses would instead “create a rule that says marketing as individuals can go to Facebook as an application.”
Krikken says this is a step in the right direction as it takes the user context into account. “As soon as you’re saying we’re going to allow individuals, so user identities, access to Facebook, which we know as a certain application, and we can define that on whatever filtering system we use, that sounds a lot more sensible.”