Outside in and inside out
The original idea of a firewall – a physical barrier that prevents fire from spreading – emphasised its protective function. That concept, now more usually used in a computing context to describe a system protecting a network, still retains the notion of protecting users and information from outside attacks.
However, from the outset, firewalls also had another purpose, says Arthur Goldstuck, founder of World Wide Worx. “They hark back to the early years of the internet when bandwidth was scarce. Companies used firewalls to closely guard their connections in order to preserve their bandwidth resources.”
Now, though, technology is very different, and bandwidth scarcity has ceased to be an issue. Such an approach today is just archaic, argues Goldstuck, and the real purpose of firewalls has become more obvious: “To control what people do at work.”
Of course, some degree of control is necessary. Nathan Williams, the chief operations and technology officer of the Mineworkers’ Provident Fund, points out that the R30 billion fund is subject to a veritable catalogue of legislation that regulates pensions, information privacy, financial transactions, and tax.
Williams describes a range of protective measures that the fund has in place. There’s not just one firewall, but six. Every time an employee logs on, they receive a one-time pin before they can complete the process. And passwords are about to be scrapped in favour of a biometric system using fingerprints and facial recognition. Access to the internet and the use of emails is also strictly scrutinised.
It’s about people
Yet Williams and Lungelo Solombela, the fund’s human resources executive, are both acutely aware that technology cannot be separated from the people who use it. “What we do in IT is done from an HR perspective,” says Williams. “Since we needed to embed the human aspect into our IT practice, we drafted the policies for both areas concurrently.”
Solombela explains that there’s a constant process of communication with employees. When they join the organisation, they must sign a code of conduct and familiarise themselves with its IT policies as well as the key performance indicators they will be expected to measure up to. But it doesn’t stop there.
“I have to make sure that the content of these documents is easily understandable, and that each employee is properly informed about what is expected of them,” he says. Since the information is constantly changing, and the statutory compliance requirements for the fund are so onerous, managers meet with employees once a month. Furthermore, performance appraisals are carried out quarterly, where vulnerabilities and data integrity issues are addressed. In addition, each employee must sign a new performance-related contract every 12 months.
Echoing this emphasis on getting buy-in from employees, Juan Joubert, cyber security practice lead at Trend Micro, insists that the cooperation of staff is essential. “If they make a mistake and there’s been a security breach, don’t lose your temper with them. At least they reported the matter,” he says. “People in IT sometimes get frustrated and even a little aggressive with users, but then they risk those people being hesitant to report problems to them.”
An holistic approach
On a technical level, says Joubert, security needs to be applied on multiple levels. He mentions, among other things, network and cloud protection, as well as the protection of end-point and mobile devices. He advocates the virtualisation of security, where there is a move from physical to virtual servers.
Gareth James, a network and security sales specialist for Sub-Saharan Africa at VMware, emphasises the benefits of virtualising a company’s entire computing system. Doing this means that instead of a single firewall protecting the entire network, each virtual machine in the company gets its own firewall. This is a recent development, and far less porous than the original type of firewall. It also means that protection can be provided on multiple layers of the network, and unauthorised internal lateral connections between computers – between, say, finance and human resources – can be prevented. “This dramatically reduces exposure to security breaches,” says James. “If an entire system has been virtualised – the computer, storage, and the network – there’s much greater control.”
Focus on performance
There are other advances in firewall technology that extend the protection they afford. Emmanuel Tzingakis, a technical leader for Sub-Saharan Africa at Trend Micro, mentions that the company provides a filtering service that monitors internet traffic to its clients and can immediately detect the launch of an attack on that system. An instruction to block the attack is then sent to the firewall.
While talking to these security experts, the possibility of people in a company being the source of vulnerabilities keeps cropping up. Processing technology is relatively easy, says VMware’s James. “Dealing with people can be much trickier.”
While he advocates a security policy of trusting no one, he doesn’t believe in just blocking all internet access. Since it’s impossible to closely monitor so much traffic, he argues that it’s essential to train people so they understand how their behaviour can create vulnerabilities. And, instead of breathing down the necks of employees in a spirit of distrust, to try to make them productive, he says jobs should be outputbased. “In this way, you create a happy workforce, and a happy workforce is a productive workforce.”
Goldstuck agrees. It comes down to human relations, he says. “People cannot divorce their work lives from their personal lives, and if you closely control their time at work, you’ll have a human relations disaster – people will hate working for you.”
Goldstuck has strong words for those managers who apply blind rules banning all personal internet access: “It’s not just short-sighted; it’s corporate stupidity.” People need access to a wide range of websites to do their work, and even the border between information and entertainment is blurring since YouTube and social media sites have now become places where important business activities take place.
The emphasis, then, ought to be on reasonableness, and on employee performance, says Goldstuck. If an employee’s work is falling short, in terms of agreed performance indicators, it will be easy to correlate this with excessive time spent browsing online if that’s the problem.
“Enforce policy, and measure performance, through a triangulation consisting of an acceptable use policy that emphasises reasonable use, the application of predetermined key performance indicators, and employee reviews that measure performance against those indicators.”
Then, if a person’s performance is good, there will be no need to restrict or penalise them. This is the future, and the sooner managers understand this, the better for everyone.
This article was originally published in the March 2020 issue of ITWeb Brainstorm magazine.