What does next generation mean? It implies we have something new and beyond what came before it.
It's certainly the implication in security, with firewalls. As networks have evolved over the past decade from relatively simple to far more complex topologies, so too have firewalls.
The move to Web 2.0 and mobile computing, not to mention virtualisation and cloud deployments, have forced businesses to handle more network events and a greater variety of traffic. Thus firewalls have moved from simple monitoring of certain ports, IP addresses or packet activity to scrutinising specific user and application activity.
However, even with this evolution, it's worth noting that firewalls have been able to identify which applications are being used for the past 17 years. When firewall vendors say ‘next generation', they are actually referring to a basic feature in most firewalls today. Of course, there are far more applications in use in most companies now than ever before, but the principle of application identification in itself is nothing new.
What is new is the complex way that networks are being used and the way that users are accessing data. Networks have been traditionally defined by the addresses they use; provided users don't move around too often or change IP address, tracking them is relatively simple.
This used to mean that applying security was relatively simple too, with security policy management defining access based on the internet protocol (IP) addresses of the devices in use.
Unfortunately, policy management is now outdated in most organisations because the control they exert over the devices that connect to their networks has lessened.
Growing demand for smartphones and tablet PCs has equated to people having multiple devices and, therefore, many IP addresses. The rise in mobile computing, together with new online applications, makes it difficult for businesses to keep up with policy-change requests.
If the requests keep coming in based on users and their devices and organisations are still compiling policies based on static IP addresses, the business is already exposed to risks that it can't even see.
Even more worrisome is the fact that many of these devices are being brought in from users' homes without being validated, secured or even looked at by the IT department. Users are bleeding their personal devices such as tablets, smartphones and personal laptops all over networks, taking work home and bringing home to work.
As organisations adopt more agile computing solutions, they are finding that security policies cannot keep pace with the changes, creating all sorts of headaches. So how should they approach the development of security policies that reflect the way networks are being used today? How do they ensure those policies are enforced?
What's needed to help companies manage risk, protect data, audit network activity and give better control over what users are doing isn't a ‘next generation' product or feature: it's next generation policy management.
User ID checks
Knowing who your users are is critical to managing policy; knowing what IP addresses they are using, less so. As such, defining policy based on user access and type of device is the only logical choice, as it gives a smarter means for managing access from fast-growing consumerised estates, where the device may not always be known.
Understanding what devices employees are using for network access will also help organisations make informed decisions about their security policies. This allows them to track what devices have accessed which data, so if they need to determine where data may have been breached from, there is already a defined limit on the number of people and devices with access. Consider just how more effective security policy could be with the addition of this parameter.
The ability to identify application activity on a firewall or gateway is nothing new. However, the ability to identify applications that are not defined by standards – such as web applications, social media portals and more – is a powerful addition to creating a next-generation policy.
If you add the ability to detect and manage user access to those applications, businesses can further strengthen application control. By allowing users to interact with the security system, both to remind them of corporate policy on acceptable use of applications and to take feedback in real time on why the user needs access and the intended purpose of their usage, organisations can add a further layer of security reinforcement and protection.
Data is the key
These three points can help organisations to identify which users are accessing the network, from which device or application. However, the core element of security policy is the ability to analyse the data that is being accessed, sent and manipulated to ensure users are not sharing or leaking sensitive information.
This requires assessing not only what applications employees can use, but what data these applications are allowed to use, and, in turn, taking steps to protect sensitive data from inappropriate or non-compliant usage.
In conclusion, the increasing adoption of consumerisation, virtualisation and cloud computing means that network infrastructure is no longer static: it's agile, dynamic and fragmented, with data flowing in unexpected and unpredictable ways.
Next-generation security has to include the ‘human factor': the people using networks, the devices they use, the applications they are allowed to run and the data those applications can access and modify to reflect this dynamic network usage. Only then can you create cohesive, next-generation security policies that truly protect what matters to your business.
Terry Greer-King is UK managing director at Check Point