Curing Security Policy Ailments

I was talking recently with one of our sales engineers, and he mentioned that customers often tell him about the security management pain points they experience, which they are seeking to cure.  But when they actually describe those pain points in detail – such as ‘I have too many firewall rules,’ or ‘I failed an audit’ – they are actually identifying a series of symptoms that result from deeper, more fundamental problems in their processes.

As a doctor will tell you, you shouldn’t just treat the symptom, you need to cure the disease itself.  If you’ve got a headache, you can take some aspirin to alleviate some of the discomfort while the body hopefully heals itself.  However, if the headache doesn’t go away, taking more and more aspirin isn’t going to resolve the problem:  the underlying causes will need to be investigated and addressed properly to deliver a long-term cure.

It’s the same in the security world:  problems rarely cure themselves.  It’s possible to treat an organization’s painful symptoms such as having too many firewall rules, or of failing an audit, by simply selling them a firewall clean-up solution.  But this doesn’t fix the fundamental issues:  it just kicks the can down the road until the next time the symptoms reappear.

Organizations must look to identify the underlying issue, rather than merely relieve the symptoms. This can be done by proactively conducting a comprehensive assessment of the network and identifying the risks that exist within it, instead of waiting for maladies to manifest themselves.  Think of it as a network health check-up:  it’s important to be able to identify risky rules or applications and ensure that they are compliant both with internal policies and relevant standards and regulations.

More often than not the assessment, or health-check, will reveal that the real problem that needs curing is the fact that the organization has poor processes for handling security policy management.  And until it re-engineers its processes using an automated, simplified approach, the issue will not go away.

So how should organizations go about administering this treatment and curing their policy management problems?  It has to be done by properly managing the lifecycle of security policies:  from discovering application connectivity requirements, through ongoing change management and proactive risk analysis, to secure decommissioning when the policies reach the end of their life.

In terms of discovery, this means identifying and understanding the connectivity requirements of applications, along with network security devices and cloud controls. Once these have been fully visualized, organizations can start to plan and assess the impact of every proposed change to the security policy before it’s implemented, to minimize risk, avoid outages and ensure compliance.  Automating these security policy changes is also essential as it completes the process faster and more accurately, reducing the scope for error.

An essential part of maintaining this healthy network environment is continuous monitoring – to ensure that all applications and their policies remain relevant, and that those which are outdated are decommissioned.

By properly managing the lifecycle of security policies with an automated approach – from discovery, planning, deployment, maintenance and secure decommissioning – it’s possible to achieve a permanent cure for many common network and security ailments.  This will, in turn, will save you an awful lot of headaches.  ​