Internal Security Zones Are Critical To Information Security
- Written by: Dave Nelson
One of the common phrases to describe an organization’s information security posture is the “hard crusty shell, with a soft gooey center”. Does this describe your organization? If so, you need to rethink the idea of creating internal security zones. It’s a given that you’re going to have a lapse in information security. Someone is going to penetrate through that hard candy coating and start nibbling on the succulent candy in the center of it all. The question is, how you stop them once they are in.
Internal security zones are essential to every information security architecture discussion. Multifunction devices, little Linux servers with no anti-malware, lots of services, no access controls, lots of storage…little hacker hideouts. Why would you ever need a MFD to communicate with the vast majority of your servers? Especially a database or ERP system? Maybe a file server or an email gateway, but not the entire server farm. Why should a customer service PC which only uses the web frontend to your CRM ever need SQL access to your database cluster? Why would your VoIP or voicemail server need to communicate with your terminal servers?
The answer to these questions is most likely, they don’t. So why do we allow this to happen? If we know there are systems that don’t need to communicate with each other, develop internal security zones to protect information. By doing so you’ll be able to create choke points during a data breach and slow the attack. You’ll limit the spread of malware. You’ll break automated routines that could lead to a loss of data. Internal security zones are critical to information security. If you’re not using them, you’re leaving yourself very vulnerable.