Do I Need a Change Management Solution Just for Network Security?

Change management is hardly big news for anyone in IT. Change management systems (such as BMC remedy and HP Service Manager to name a few) have been around for many years, and standards such as ITIL which include frameworks for change management have been around long enough to undergo a few major revisions. So when we launched FireFlow in early 2009, many customers where asking – do I need a change management solution just for network security?

Obviously, we felt the answer is a resounding YES, and here’s why:

Many companies do not have a good process for managing security policy change requests. Change requests are often received via emails and even hallway conversations.

Even when existing change management systems are used, they are limited in the sense that they are able to enforce a workflow (Person A does something , the request is then forwarded to person B who does something etc.). However, these systems have no understanding of firewall rulesets, network topology, or the company’s security policy, which still leaves security operations teams with a lot of manual and error-prone work that needs to be done, such as:

• Understanding which firewalls need to be modified in order to fulfill a specific business request
• Analyzing the security and compliance implications of making the change (Will we still be PCI-DSS compliant if we make this change?)
• Designing the change in an optimal way (E.g. making use of existing firewall objects as opposed to creating duplicate objects which add even more clutter to the policy)
• Ensuring that changes are performed as requested (and discovering changes that are performed without a request – see this previous blog post for more on this topic)

Fast forward to 2011, with countless successful FireFlow implementations across the globe, we hardly ever hear this question. If anything, defining and enforcing a good security policy change workflow has become more challenging without automated tools. A 50 percent reduction in the time required to process changes is a common result for FireFlow customers, not to mention increased accuracy and governance and reduced auditing costs.

As for the “master” change management systems, the vast majority of organizations we work with simply integrate FireFlow with their standard change management system. This way they can benefit from intelligent automation, while preserving the way the organization handles change management. More on this in the video below.