Blind Mice and the Swiss Cheese Security Model


For years now we have poured millions of dollars into making our network perimeters secure. The end result has been a massive sprawl of security appliances that are expensive to maintain and difficult to manage.

At the same time, we have poked innumerable holes in all those perimeter security investments in the name of providing access to any number of Web applications. The end result are waves of Web applications that are largely invisible to all our security appliances as they travel through open ports on our networks. We know that a large percentage of those applications are probably carrying malware, but IT organizations don't really have the skills or the budget dollars at hand to implement an application security strategy.

But what if we were not spending all out security money on maintaining those appliances? What if the responsibility for security on the network was put back into the hands of the people responsible for managing the network? Would that not free up massive amounts of money and skilled professionals to focus on application security?

When you peel back all the statements about integrated firewalls and embedded security technologies in routers and switches, the real value proposition is going to be the ability to focus a lot more time and energy on application security. In their most candid moments, a lot of security professionals will concede that they have been reduced to blind mice looking at traffic streaming through security devices that have been turned into Swiss cheese by Web applications.

Today companies such as 3Com are rolling out integrated firewalls and security-enabled routers and switches as part of new unified threat management initiatives. Whether you go with an integrated firewall or embed security in the network itself to reduce your network security costs depends on your performance requirements. What does really matter is what you do with those savings. And for a lot of organizations that may mean taking all the security people and allocating them to the applications, while network managers focus on lower level security issues.

The question is does your organization have the strategic will to make the necessary personnel assignment changes, or has the security department simply become too big and bureaucratic to get out of its own way?