SINGAPORE, 21 JULY 2010 - Many organisations struggle with balancing the business value and risks of Enterprise 2.0 and Web 2.0 applications. On one hand, they offer tremendous business value – on the other, they carry significant risks – data loss/leaks, productivity, compliance, business continuity, and operations cost risks.
MIS Asia editor, Ross O. Storey, shared thoughts with Palo Alto Networks’ co-founder and chief architect, Yuming Mao, on the benefits and dangers of today’s new openness and interactivity.
What do you see as the major Achilles heel of enterprises in the Asia Pacific relating to enterprise IT and network security?
Modern applications and threats easily circumvent the traditional network firewall – so much so that enterprises have deployed an entire crop of ‘firewall helpers’ to help remedy the situation. But that hasn’t really worked. Neither have attempts to bolt application awareness and control onto existing firewall products, or to consolidate firewall helpers with a unified threat management (UTM) device. Applications and threats are still making their way around these so-called solutions, frustrating IT groups that have only managed to incur additional cost and complexity without fixing the problem.
The second issue is that even if traditional security infrastructure could see and control modern applications, it has the wrong model. Traditional network security has two concepts – good traffic (allow) and threats (block) – applications are not threats – they provide benefit, but they do carry risks. For many organisations, this necessitates a model which focuses on the safe enablement of applications (e.g. “allow for certain users”, “allow certain functions,” or “allow, but scan for threats”).
What are the latest trends relating to attacks on application-layer vulnerabilities and at what rate are these attacks being generated?
Social networks have become the transmission vector for old and new threats – hundreds of millions of users are a huge target – and threat developers are reacting accordingly. Our top 10 social networking risks/threats include:
- Social networking worms
- Phishing bait
- Trojan vector
- Data leaks
- Shortened or obfuscated links
- Botnet command and control
- It’s a data source for attackers
- Cross-site request forgery (CSRF)
- Impersonation
- Too much trust from end-users
What examples can you cite, of Asia Pacific enterprises that have suffered due to the latest threat environment?
One of the interesting elements of Web 2.0 applications and the threats they carry is that there are no boundaries. The world is flat. Many Asia-based applications are used in other parts of the world and vice-versa (Asian P2P file sharing, European media, and North American social networking applications are prevalent worldwide). Not surprisingly, the threats they carry are just as prevalent. While we can’t give you specific, non-public examples, there are defence contractors, government agencies, healthcare organisations, and pharmaceutical manufacturers that have fallen prey to threats borne by these classes of applications.
How prepared do you think Asia Pacific enterprises are to meet these new challenges and are they coping with the burgeoning demand for bandwidth?
Many organisations continue to struggle with managing these new applications, and their incumbent network security infrastructure, which bases decisions on irrelevant network port information, and struggles with an antiquated good/bad security model. One of the things we’ve seen in bandwidth-conscious enterprises is the desire to allow certain applications, but queue and shape them such that they cannot interfere with more critical and more latency-sensitive business applications.
How has the enterprise risk profile changed because of these new bandwidth hungry systems and how serious is the situation in the Asia Pacific, compared to the US and Europe?
I don’t think the risk profile is that different in Asia. The compliance issues are different, and individual enterprises’ cultures are different, but the desire to use Enterprise 2.0/Web 2.0 applications, the need to adopt social technologies, and the concern about the risks they carry are common globally. Have a look at our latest Application Usage and Risk Report for some detail on how similar North American, Asian and European organisations look from a risk perspective. (http://www.paloaltonetworks.com/literature/AUR_spring2010.php)
How well are firewalls evolving to meet these new threats and what should enterprises be doing to ensure they are properly protected in this changing environment?
The traditional stateful inspection firewall as we know it can’t evolve – it must fundamentally change. The firewall has some unique advantages – it sees all traffic, and it defines the trust boundary. Traditional firewalls, however, cannot see past port and network protocol. So taking the good (the position of the firewall within the network) and starting over with a next-generation firewall with the following requirements will both solve the problem outlined above, and simplify network security. Next-generation firewalls must:
• Identify applications regardless of port, protocol, evasive tactic or SSL
• Identify users regardless of IP address
• Protect in real-time against threats embedded across applications
• Fine-grained visibility and policy control over application access / functionality
• Multi-gigabit, in-line deployment with no performance degradation
Which sectors do you believe face the highest risk from this changing IT environment and where are their key vulnerabilities?
From what we’ve seen in customers, financial services, government, and healthcare organisations are most sensitised to these risks, because of their greater dependence on information technology, and because of the relatively higher value of the information within their systems (e.g., for a bank, bits and bytes equal money – which has an immediate and direct value, as opposed to in a manufacturer, where the information travelling on the network may be important, but have no direct and immediate value to an attacker).
What strategies do you recommend to Asia Pacific enterprises to combat the new era of IT attacks, viruses, malware and the likes?
To ensure Asia Pacific enterprises can benefit from Enterprise 2.0/Web 2.0 applications and social technologies, and yet mitigate the significant risks associated with them, network security teams should follow Gartner’s advice. In Gartner’s research note, ‘Defining the Next-Generation Firewall (NGFW),’ Gartner recommends:
• If you have not yet deployed network intrusion prevention, require NGFW capabilities of all vendors at your next firewall refresh point.
• If you have deployed both network firewalls and network intrusion prevention, synchronise the refresh cycle for both technologies and migrate to NGFW capabilities.
• If you use managed perimeter security services, look to move up to managed NGFW services at the next contract renewal.
Is there anything else you'd like to add which you believe should be considered in our discussion?
I think these are good questions – very top-of-mind for many organisations. So much so, we see lots of legacy security vendors using next-generation firewalls in their marketing for traditional security products. For us, it is a nice validation – but marketing traditional products as ‘next-generation’ doesn’t make it so...
