Some older assumptions about security -- such as firewalls are needed for perimeter defense, and we'll all make do with reusable passwords and browser-based SSL connections provide great security -- were once again ripped apart as we heard this week from several individuals who say they simply don't agree.
"I don't think firewalls are necessary. They prohibit work from being accomplished," was one remark from Nathan McBride, executive director of IT at Amag Pharmaceuticals, in describing how the company has migrated off an older Microsoft-based network to one based on both application cloud services and cloud-based single-sign-on for about 240 employees. His story provoked some blistering comments online from Network World readers. Here's a selection from a few:
"Firewalls. This comment can only come from an IT manager. Really? Do you know what a firewall does? ..."
"I almost LOLd! Wow. I'd like to see them pass a PCI scan with no firewalls. Cloud service providers use firewalls, too."
"How dumb does it get? ... let's hire some clueless jerk to make it someone else's responsibility ..."
"Say What? ... And what company doesn't put a firewall between the Internet and their computers, whether PCs or servers? I'm not impressed."
MORE ON SECURITY: Tips and tricks for protecting Android devices
All of this just shows that the debate over whether perimeter firewalls are worth it anymore is still fierce (and yes, the PCI standard for payment-card calls for a lot of firewalls). You may recall that it was the Jericho Forum with its group of IT professionals about five years ago that began pounding the drum on the firewall topic, saying for perimeter defense, a firewall is largely an outmoded idea and can impede e-commerce. The debate is still intense about it.
The Jericho Forum has now taken up the topic of identity management, saying continuing reliance on reusable passwords in this era of cloud computing is totally misguided, and a stronger trust framework needs to unfold for large-scale Internet use.
That's what the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative from the Obama administration is trying to coordinate, with the high-tech industry taking the lead. We caught up this week with NSTIC Director Jeremy Grant, who explained what the federal government has in mind so far to foster more secure alternatives to passwords in a new "identity ecosystem." Don Thibeau, chairman of the Open Identity Exchange (OIX) --the members of which, including Google, want to participate in the NTSIC process -- also told us watch for some innovative pilot projects coordinated among Google, Microsoft and AOL for secure email later this fall.
