The End of the DMZ? Or Just Changing?

Posted by Sabrina Sturm Tue, 02 Oct 2012 08:11:00 GMT

Often, the DMZ (demilitarized zone) is considered to be the centerpiece of a company´s IT infrastructure. Amongst others it is significantly involved in protecting sensitive company data against external attacks. However, it is not a magic bullet and has never been. Today in particular – considering the tremendous amount of innovations and new risks within IT – it has to be questioned how up-to-date the DMZ still is?

What Is a DMZ?

The DMZ is a separated sub net; it divides the local company network (LAN) from the Internet. For this purpose firewall routers are used. The German BSI [Federal Office for Information Security] recommends using two of these firewalls: one isolates the Internet from the DMZ, the other isolates the DMZ from the internal network (LAN). Even if an attacker is able to overcome firewall A, firewall B still prevents access to sensitive information in the LAN. At the same time resources that need to be publicly accessible (E-Mails, Webserver, etc.) are accessible from the outside – and still protected.

 

The Principle of a DMZ

The Mega Hype: “Bring Your Own Device”

Words like “Bring Your Own Device”, “IT Consumerization” and “Mobile Workplaces” can be found at every corner. If one believes analysts and researchers, no company can ignore these trends (really none!). Employees want to access central company data anywhere and anytime and favorably with their private device.

>But: reality proves this trend, too. Have you noticed how many people type hectically on their iPhone or iPad – at the airport, at the train station or at a café? And one has to admit: although these activities may drive IT administrators crazy, it is nice to work independent of time and place.

The DMZ with Regard to BYOD

If employees can access sensitive company data 24/7, from any place and with any device, this may have tremendous effects on a company´s data security. The IT administrator needs to prevent illegal outflow of data by employees on the one hand since they might have stored data on their private device and are now walking around with the data (throwing doors wide open for misuse). On the other hand, the IT administrator needs to prevent attacks from external people (hackers, malware developers, etc.). As a culmination, perfect usability is a must. 

Regarding security, the DMZ and BYOD do not fit together, in particular. The previous assumption that devices within the LAN are “secure” is not valid any longer. Employers may access central company resources with private devices within the LAN, too. This is why the question arises if it would not be better to put the general principle “who may access which data” in practice within the DMZ (instead of using the source network (LAN/Internet) as a basis). Lory Macvittie discusses this question in her article „BYOD and the Death of the DMZ“, as well.

 

 

Private devices can be used inside and outside a LAN

If one transforms the DMZ and considers every device as potentially risky (if inside the LAN or not), there is a great advantage: security policies can be universally rolled out on all devices. It is individually determined for each employee which resources they are allowed to access – independent of location or device. Modern IT products also exactly target these aspects and offer reliable protection when applying such a concept. HOB products, for example, never store data on an end device, encrypt all communication and allow for the reliable authentication of each user.  

no comments |

You must be registered in order to write comments. To register as a new user click here.

If you're already registered, please leave a comment here

Leave a comment