Adopting an application-centric approach to security management: we mature enough?

IT security teams are finding it difficult to keep up with the dynamic businesses they are tasked with enabling and keeping secure. These teams typically serve every line of business, and are expected to not only maintain robust security, but also to keep day-to-day business operations running smoothly. They have to maintain the network’s security posture whenever a new application is added, a hardware upgrade takes place or users change – but they cannot allow these security measures to impact the business adversely.

In reality, however, these changes create business bottlenecks, which means that the organization cannot operate as nimbly and adapt to changes, as quickly as it wants and needs to.

So rather than viewing security from the traditional posture of infrastructure and firewall rules, Security needs to be assessed from an application-centric perspective – specifically the business applications that actually generate revenue. Through this approach businesses identify and map their critical applications and their respective traffic flows, in order to understand how both the firewall rules and vulnerabilities affect them. In turn this enables IT teams to implement security policies and operational risk management which is entirely focused on serving the needs of the business. Furthermore it ensures that essential application is secure, connected and operating as it should!

Such an approach should be driven through questions such as ‘what does this application do?’ ‘who needs access to this application’? How critical is the application for generating business revenue? How does this application interact with others? This provides a conduit between the application team and the IT security team, allowing the application delivery team to clearly communicate their needs, and the security team to clearly evaluate the risk of each requested change, with greater context and visibility – so they can address those needs quickly and securely.

However, when talking to customers I hear three main misconceptions around the process of adopting an application-centric approach to security policy management – and they are holding organizations back. In this three part series I’m going to take a look at each of these myths, explain why they are incorrect and how to overcome them. In this first post I’m going to look at reservations around business maturity.

Are we mature enough?

IT teams often believe that they are simply not mature enough, in terms of both technology and visibility, to adopt an application-centric approach for managing network security policies.  In many cases, there is some truth in this perception – but the necessary maturity can be easier to reach than you might think.

Take a look at our security policy management maturity model which will give you a realistic picture of where you are now – and what you need to do to move further up it. ‘Immature’ businesses use entirely or almost entirely manual security policy change processes and have very little in the way of network visibility and no application visibility.  The most ‘mature’ businesses, by contrast, incorporate an application-driven lifecycle approach to security policy management that includes application connectivity mapping, highly automated change processes, live network and application visibility across on premise, SDN and cloud environments.

At this point it’s important to stress that  it doesn’t matter if some of your environments have already moved in an application-centric direction while others haven’t – in fact, cloud or SDN environments, which are inherently application-centric are fantastic drivers for bringing the rest of IT on board. This is because they provide a benchmark for business owners to compare how well the approach is being applied to on-premise security against those parts of the network where the approach has been built in since day one.

To adopt an application-centric approach, organizations need to move further up this maturity model. This does not need to be complicated or difficult, and can be taken one step at a time. Our model breaks down the different elements that constitute security policy management maturity, enabling businesses to clearly see the individual steps they need to take.

Clearing the maturity hurdle

Regardless of their current position on the maturity scale, most businesses have far more information at their fingertips to help them implement an application-centric approach than they may initially think – it just isn’t formally logged.  For instance, the majority of organizations are regularly making firewall changes, and someone is more than likely capturing the commonality and similarity between those changes, drawing parallels between them. The IT team may not realise it, but by doing this they are already starting to build an application-centric level of visibility.  Firewall changes, requests for access, and analyzing the connectivity and linking this all back to a specific user or application are essential building blocks for implementing an application centric approach.

Furthermore, a lot of organizations build inventory lists and databases for a range of different reasons, and this is exactly the type of data that can help when planning a move to an application-centric approach.  But because it is strewn across their environment they often don’t realize that it’s available.  By properly collating the data and correctly analyzing it, organizations already have the tools and data to begin the application centric maturity journey.

Of course it is worth pointing out that products such as AlgoSec’s, that automatically map application connectivity and security requirements can quickly propel companies to a more mature model.

In my next post I’ll take a look at how the myths around the amount of resources required when trying to adopt an application-centric approach to security management.