Business, IT and Security Together in Harmony to Avoid Misconfigurations – Part II

In last week’s blog, we looked at how misconfigured network devices can be a major threat to your organization. We explored how some of the risk of misconfiguration can be mitigated by building an automated change control process that provides visibility, thorough testing and tracking throughout the process.

But that isn’t the complete story.  To effectively mitigate against the risk of device misconfiguration – and all of the business disruption and vulnerability to malicious attackers this can cause – your organization needs to work on better aligning business needs with IT security necessities.

Business, IT and Security – the holy trinity

A simplistic summary of the relationship between a business and its IT and security functions will typically look something like this:

1. The business creates value for its customers and stores this data in databases. Users can access this data via applications.
2. The IT department maintains the infrastructure to support the data (databases) and applications.
3. The IT security division manages and maintains secure access to data and applications so that these assets don’t compromise the value of the business.

In a typical company, the connectivity requirements for business applications change all the time – employees come and go, new users are added, databases are moved and so on. In last week’s blog we looked at how the process for making these changes can be designed to be smooth and effective, and how automating that process from beginning to end is essential to avoid guesswork, human error, and to drive efficiencies.

Nevertheless, even with that clear, intelligent change control process in place, provisioning such change often takes far too long – which ultimately impacts business productivity.

One key problem is that IT security often speaks a different language to the application developers and administrators who request the connectivity changes.  ‘What ports and devices do you need open?’ is the kind of information IT security needs to know, but it doesn’t match the terminology used by the application owners who talk in terms of applications and users.

So, in order to bridge the communication gap everyone needs to get on the same page. It can be done, quite simply through visualization of application connectivity.

Creating such a diagram is easier than you might think. In fact it’s actually possible to automatically map and illustrate application connectivity requirements to the underlying business IT infrastructure. This enables all stakeholders to clearly visualize current – and future – connectivity in a fraction of the time it takes to manually map it, and it provides a single unified way of understanding the architecture of applications and how security policy rules operate for disparate IT divisions.

The advantages are:

• Business application developers can now easily visualize and understand network traffic flows for their applications.
• IT security clearly understands why particular change requests are made, and has a highly focused view of what connectivity is required, which is documented in the ‘ports and IP addresses’ networking language it understands.
• Business owners can identify how their applications are impacted by IT security, and vice versa. They can gain a greater understanding of the risk of particular applications.
• Both sides can drill down into the specifics of why a particular application isn’t working and the security team can make the changes where necessary to adapt to the specific security policy blocking an individual application.

With everyone on the same page, the change control process can happen with much greater speed, efficiency and accuracy.  As more and more businesses move to agile development and deployment, and as the Internet of Things continues to impact on service expectations, it is crucial that businesses plug the communications gap between their developers and their IT security teams.