Many years ago, computers were disconnected. Then they started to become networked, but with a few notable exceptions in academia and the defence world, the networks themselves were disconnected. That was just about the situation in the early 1990s when I started working. One needed extra special permission to be able to have an email account that was allowed to send messages outside of my employer, but that didn’t matter a whole load because nobody I knew outside of the organisation had an email address to post to anyway. Days of inbox innocence…
Then, first with email and then with the World Wide Web, connections to the outside world emerged. At this time information security models were based on a similar principal to the construction of a medieval castle: very strong walls, limited numbers of controlled entrances, and an assumption that anything outside was probably out to get you.
These security models were always a bit suspect, but they held reasonably true for as long as every point along the way within the walls (or “firewalls” as we came to know them for reasons of metaphorical etymology that I can’t quite understand) was controlled.
Then along came personal computing that was completely portable, and home broadband that made complex yet easy to use services (Web 2.0 and all that) accessible to anyone who wanted them, and as a result the models of security based on medieval military architecture fell apart. There are very few organisations who have the power and influence over their employees that means that all smart personal devices are checked in at the reception desk, and for as long as I can take a photo of a screen, even if the contents of that screen have been completely “digital rights managed”, I can almost immediately broadcast that information instantaneously to the entire planet.
And yet today I still hear talk about “behind the firewall”. It strikes me that this is increasingly an unhelpful state of mind, rather than anything of great technical meaning.
First of all, let’s get it straight. Databases containing sensitive information should be sitting behind layers of security, but heaven help you if it’s only a firewall that’s in place. Security in our internetworked world needs to be on the things you are protecting, not just at the walls to your virtual castle.
But the concept of barriers between organisations and the outside world as embodied in the concept of a firewall doesn’t seem to me to be a useful analogy when workgroups need people from many organisations to pull together – whether they be partners, suppliers, customers, consumers, “frenemies” or regulators. The default position these days should be boundary-less, because that’s not only the reality of the world – it’s also the reality of a stack of user-friendly services (Skydrive, DropBox, LinkedIn, and even good old fashioned email) which will get used if enterprises don’t provide the tools necessary for these inter-organisational teams to work together.