Business Driven Security Management: Putting Theory into Practice

Modern business is all about agility: organizations operating under competitive conditions must act and move fast to remain profitable. And that also applies to the applications that drive the business. As with the business itself, the application deployment and update process must be both agile and robust.

However, while fast, agile application deployment is key, it cannot come at the expense of reliability or security. Or, looking at the issue from the other side, IT teams must ensure they are delivering business-driven security, ensuring that critical applications are reliable and secure, to support the needs of the business.

So how should this work in practice? IT must ensure that applications are always on, and that any outages are kept to a minimum, since downtime can lead to significant financial and reputational risks. Therefore, to ensure the reliability of critical business services, IT teams must be able to assess, in advance, the impact of any downtime due to planned changes. For example, they need to know what applications would be impacted if firewall A is rebooted, or access to server B is temporarily blocked? This requires the IT team to have both a clear picture of application connectivity requirements and an understanding of which applications are critical to business operations.

This can only be achieved when the business applications and their connectivity and network infrastructure are fully mapped and documented. IT will then have the holistic visibility required to only allow the network connectivity actually needed for the applications that support business operations, and insight into where redundant traffic, which could be used as potential backdoor for cyber-criminals, can be blocked.

Putting the theory into practice

That’s the theory: but how can it be put into practice? One of our customers is a major healthcare organization manufacturer. Operating in a highly regulated environment, the company must comply with strict standards, enforced by different regulatory bodies such as the U.S Food & Drug Administration.

In order to meet its compliance requirements, each change in the network infrastructure must be well documented and approved. Previously, network changes were implemented and documented manually, which caused delays in rolling out application updates. Part of the reason was that the security team in charge of approving change requests had a hard time understanding the business need behind each change request, because there was no clear link between the required change processes and the business services they impacted.

To address these challenges the company deployed AlgoSec’s Security Management Solution. AlgoSec can automatically map the connectivity requirements of all business applications, and associate them with the relevant firewalls and security devices. This means that the IT team can link security to business processes, and then prioritize remediation of any issues according to the needs of the business.

To ensure that the deployment addressed the healthcare company’s challenges, the AlgoSec solution was deployed in two phases.

In the first phase the IT team used the AlgoSec solution to map all network equipment, firewalls, routers, etc., and to automatically identify the network devices relevant for each security policy change request. At the end of the mapping process it was clear which security openings were associated with which business process, enabling the IT team to see those rules that were actually needed by the business, and remove those that weren’t.

Additionally, as AlgoSec can automatically detect change requests that are redundant due to traffic already being allowed, the AlgoSec solution immediately resolved any duplicate and unnecessary change requests, thereby saving considerable time. Furthermore, AlgoSec documented the entire process, including every action related to the change request, for example why was rule #1 created? Who asked for it? Who approved it? etc., enabling the organization and its auditors to review and audit the change at a later date.

During the second phase, we initiated the application discovery process in order to build an up-to-date connectivity map for all of the core business applications. Since the discovery process is ongoing, it allows the organization to identify any changes in the connectivity requirements, in real time and updates the connectivity map accordingly.

Security that supports the needs of the business

With the AlgoSec solution fully deployed the organization can now ensure that its security infrastructure supports the needs of the business.

Now, the IT team can clearly see which firewall rules are actually needed, and which ones can be removed. Additionally, when a maintenance task is being planned that requires server downtime, it’s now easy to understand the business impact of the planned maintenance. As such applications that are business critical are both reliable and secure, enabling security to support the needs of the business – proving that business-driven security is an achievable goal, not just a theory.