Google announced that it is moving away from firewalls and virtual private networks that protect a network, and toward a data centric enterprise security architecture that protects information inside a network and permits access to particular information based on device and personal credentials. According to Google's press release, "With this approach, trust is moved from the network level to the device level."

The term "firewall" was originally very descriptive of its purpose as a fireproof barriers on a building or a vehicle that prevented the spread of fire. In the 1980s, the term was adapted to a philosophy of computer network security that built a virtual wall around a group of computers to separate everything on the inside (where there are theoretically no threats) from everything on the outside (where theoretically everything could be a threat). The firewall was considered an efficient and effective way to limit access to sensitive data.

I think the old architecture was based on three premises, which have now changed.

First, traditionally most employees were accessing the network from their employer's phyiscal location, which could be protected by a firewall. The current mobile workforce requires multiple passageways and holes for regular users to access a computer network through a firewall. Gone are the days when employees could be prevented from accessing a network except from at a corporate office inside the firewall. Following the analogy, just as you would imagine with a physical firewall, drilling a bunch of holes through a firewall creates some problems for the wall's ability to stop a fire from spreading through the wall.

Second, the era of firewalls was focused on the efforts to prevent data breaches rather than the limiting access to data during a breach. With the advent of data breach statutes in nearly every state, the focus of a data breach now focuses almost entirely on the data that was compromised and completely disregards any efforts taken to protect the data. For example, in Tennessee, a data breach means "unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder." TCA § 47-18-2107. The amount of reporting required is determined by the number of affected people. In Tennessee, if a breach involves the personal information of more than a 1000 people, enhanced reporting requirements are required.

Third, firewalls were created in a time when data breaches were fairly preventable, but we have now entered an era when data breaches are inevitable.

The impracticality of traditional firewall architectures are illustrated nicely in this short video:

I was very excited to see Google push forward with its new security model. It will – hopefully – legitimize alternative data security systems that are constructed to prevent large data breaches by compartmentalizing data rather than focusing on protecting access to networks that are otherwise unprotected. If, for example, data were compartmentalized in such a way that all data on a system were encrypted and any one user could not access more than a thousand personal records in a session, it would be much less likely that a company would be subject to the advanced reporting requirements as a result of a data breach or that a major data breach could occur in the first place. Additionally, by requiring both a physical credential (registered device) coupled with a password credential to access a limited data set, it becomes even more difficult to compromise a system. Google published an interesting study about the benefits of its new security approach.

This certainly made me think about improvements that could be made to our security systems. When was the last time you looked at your security architecture? Does your firewall have too many holes in it?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.