Wednesday, 28 January 2009

Where to put the defence in a company with no borders

In my previous blog I discussed the problem that companies no longer have a clear border to the world. I think that our CTO at AppGate, Tomas Olovsson, summarizes the problem very well in only one sentence. He says, " There are people on the inside that cannot be trusted and people on the outside that should".
How do you solve this fundamental problem? The answer is to move the security in two directions (from the perimeter...usually the company firewall), closer to the users and closer to the applications. The device should be secured and checked for access, a firewall should be places close to the applications (the access system and the firewall should be part of the same system)
All traffic between the user and the application should always be encrypted and all access should be granted on an individual basis.
Users should only be able to access information they need...and nothing else. The interesting thing is that now the difference between the outside and the inside disappeared. This also increases the possibility to enforce access polices such as which users should be able to access information on which platform? Where should the user be located? What time of day etc etc? From a legal standpoint this makes it possible to conform to laws and regulations such as SOX.
This sounds easy but one of the problems of today is that most vendors do not like this architecture, as it would sell fewer boxes....

2 comments:

Gilles Gravier said...

Most vendors do not like this architecture because they have no solution that deals with it. That's why you guys have such an interesting offering.

Goran Marby said...

I know...but I was trying to be polite. I guess it is a question about money, vendors want to sell boxes...Users want solutions.