Many organizations believe that Security stands in the way of the business – particularly when it comes to changing or provisioning connectivity for applications. It can take weeks, or even months to ensure that all the servers, devices and network segments that support the application can communicate with each other, while blocking access to hackers and unauthorized users. It’s a complex and intricate process.
This is because for every single application update or change, Networking and Security teams need to understand how it will affect the information flows between the various firewalls and servers the application relies on, and then change connectivity rules and security policies to ensure that only legitimate traffic is allowed, without creating security gaps or compliance violations.
As a result, many enterprises manage security changes on an ad-hoc basis: they move quickly to address the immediate needs of high-profile applications or to resolve critical threats, but have little time left over to maintain network maps, document security policies, or analyze the impact of rule changes on applications.
This reactive approach delays application releases, can cause outages and lost productivity, increases the risk of security breaches and puts the brakes on business agility. But it doesn’t have to be this way. Nor is it necessary for businesses to accept greater security risk to satisfy the demand for speed.
Accelerating agility without sacrificing security
The solution is to manage application connectivity and network security policies through a structured lifecycle methodology, which ensures that the right security policy management activities are performed in the right order, through an automated, repeatable process. This dramatically speeds up application connectivity provisioning and improves business agility, without sacrificing security and compliance.
So, what is the network security policy management lifecycle, and how should network and security teams go about implementing a lifecycle approach in their organizations?
The first stage involves creating an accurate, real-time map of application connectivity and the network topology across the entire organization, including on-premise, cloud and software-defined environments. Without this information IT staff are essentially working blind, and will inevitably make mistakes and encounter problems down the line.
Security policy management solutions can automate the application connectivity discovery, mapping, and documentation processes across the thousands of devices on networks – a task which is enormously time-consuming and labor-intensive if done manually. In addition, the mapping process can help business and technical groups develop a shared understanding of application connectivity requirements.
Once there is a clear picture of application connectivity and the network infrastructure, you can start to plan changes more effectively – ensure that proposed changes will provide the required connectivity, while minimizing the risks of introducing vulnerabilities, causing application outages, or compliance violations.
Typically, it involves translating application connectivity requests into networking terminology, analyzing the network topology to determine if the changes are really needed, conducting an impact analysis of proposed rule changes (particularly valuable with unpredictable cloud-based applications), performing a risk and compliance assessment, and assessing inputs from vulnerabilities scanners and SIEM solutions. Automating these activities as part of a structured lifecycle process keeps data up-to-date, saves time, and ensures that these critical steps are not omitted – helping to avoid configuration errors and outages.
Deploying connectivity and security rules can be a labor-intensive and error-prone process. Security policy management solutions automate the critical tasks involved, including designing rule changes intelligently, automatically migrating rules, and pushing policies to firewalls and other security devices – all with zero-touch if no problems or exceptions are detected. Crucially, the solution can also validate that the intended changes have been implemented correctly. This last step is often neglected, creating the false impression that application connectivity has been provided, or that vulnerabilities have been removed, when in fact there are time bombs ticking in the network.
Most firewalls accumulate thousands of rules which become outdated or obsolete over the years. Bloated rulesets not only add complexity to daily tasks such as change management, troubleshooting and auditing, they can also impact the performance of firewall appliances, resulting in decreased hardware lifespan and increased TCO.
Cleaning-up and optimizing security policies on an ongoing basis can prevent these problems. This includes identifying and eliminating or consolidating redundant and conflicting rules; tightening overly permissive rules; reordering rules; and recertifying expired ones. A clean, well-documented set of security rules helps to prevent business application outages, compliance violations, and security gaps, and reduces management time and effort.
Every business application eventually reaches the end of its life: but when they are decommissioned, their security policies are often left in place, either by oversight or from fear that removing policies could negatively affect active business applications. These obsolete or redundant security policies increase the enterprise’s attack surface and add bloat to the firewall ruleset.
The lifecycle approach reduces these risks. It provides a structured and automated process for identifying and safely removing redundant rules as soon as applications are decommissioned, while verifying that their removal will not impact active applications or create compliance violations.
We recently published a white paper which explains the five stages of the security policy management lifecycle in detail. Its a great primer for any organization looking to move away from a reactive, fire-fighting response to security challenges, to an approach which addresses the challenges of balancing security and risk with business agility. Download your copy here.
Receive notifications of new posts by email.