Why There Are No More Internal Applications

Wednesday, December 15, 2010

Rafal Los

It's official.  There are no more internal applications.

Some of the hype and news around the recent leaks of extremely sensitive government information, and the [threatened] soon-to-be-released sensitive banking information demonstrates the label "internal only" doesn't really mean "no security needed". 

That architects would score internal applications as low-risk automatically on the basis of being accessible only by people inside the corporate firewall (don't get me started on perimeters!) made real security purists cry.

But now there is a good chance these highly publicized developments may change hearts and minds. 

Well... maybe not - but at least these events may give security analysts the ammunition to have concrete discussions on why internal doesn't mean no risk.

So, will we wake up in a world where there is no more argument of "It's internal, so we don't need to secure it" tomorrow?  Unlikely.  So what does it all mean then?

What I think it means is that threat modeling should be flattened a little bit.  Work with me here.

Many threat model questionnaires I've worked with, or helped a customer develop usually have the qualifier "internal vs. external" early on in the determination process.  Call it what you may - I think that step should just be eliminated. 

I think development organizations, security teams or whom ever is doing a risk assessment today put too much stake into whether the application is internal vs. external... my contention has been for a long time that it doesn't matter. 

Now in light of recent events I think it matters even less to the point of mattering not at all.

Yes, there are more attackers on the broader public Internet but the attackers you have internally are better armed to exploit your applications - in my opinion this balances the scale in terms of which risk is bigger. 

So in the final analysis, it doesn't matter whether the application is internal vs external ... this piece of the risk profile in modern applications is irrelevant.

I'd love to hear your thoughts on this.  I suspect you'll have at least an opinion.

Cross-posted from Follow the White Rabbit

Possibly Related Articles:
Data Loss Insider Threats Risk Management Application Security Internal Applications
Post Rating I Like this!
Fred Williams Amen, we don't have a single security control on our Intranet apps. Heck, the Windows servers hosting the apps can be reached using C$. Mgmt seems to think that since you have to have a valid network ID credentials that whatever you do is recorded. They don't understand and therefore don't care.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.