In Part 1 of this series, we shared our five network security technology predictions for 2019. Well, we aren’t done yet. In this Part 2, the blog you are reading now, we reveal our take on management aspects of network security policy in the year ahead. Pay careful attention. This stuff is important.
As applications migrate across the hybrid estate from one environment to another (from the data center to the cloud, between data centers, from one cloud to another, etc.), their connectivity requirements change significantly. But the enterprise cannot allow the pace of compliance and security audits to slow down their business. Therefore, security staff will need to speed up their security-policy-management processes and improve the accuracy of their policy changes across their on-premise, private and public cloud environments via cross-environment automation of:
• application discovery
• change management, and
• application decommissioning
The scale and frequency of change management and the scope of security and compliance auditing will continue to escalate in 2019
Yesterday’s automation capabilities gave security staffs a needed boost. But, fueled by the growing complexity of securing a complex hybrid estate, the need for intelligent, intent-based policy automation capabilities that take on a larger role will spike upward in the coming year.
Intent-based policy automation must address the entire network-security policy-change lifecycle, from submission through audit, by continuously tracking the application responsible for observed traffic or for a requested policy change. Intent-based automation enables security staff to make security-related changes and assess potential risks quickly to maximize the agility and safety of the business. Always-active intelligence delivers auto-discovery of application-connectivity requirements, proactive risk analysis from the business perspective and automation of time-consuming security changes enhanced with business context, all seamlessly orchestrated across the hybrid estate. Intelligence takes on much of the load from security staff by pro-actively alerting on conditions that depress security posture below a threshold while guiding security personnel toward proper remedy.
Enterprises are ready to take another step in the automation journey and will begin to adopt intent-based automation.
Beyond the technology aspects of the hybrid estate, it’s vital to consider the stakeholders who are involved in enterprise cloud deployments. Often, a certain level of tension exists between DevOps, cloud operations and security teams. Each team rightly stresses its own priorities:
• DevOps requires agility and automation in order to roll out new applications quickly
• The cloud team is charged with controlling the cost while maximizing the advantages of cloud-platform capabilities
• The security team requires acute visibility to maintain governance across the entire hybrid estate
These priorities often clash.
The big management challenge over the coming year will be to provide capabilities that bridge disparate priorities, enabling the various teams to work in harmony toward a common, business-driven objective that supports agility, maximizes use of cloud and virtual resources and maintains tight security and compliance.
With a comprehensive security policy management (SPM) solution, security teams can be automatically notified when security policies have been changed. They can obtain an automatic impact assessment of these changes on the rest of the enterprise estate.
In 2019, large and medium-size enterprises will adopt an SPM solution that will enable DevOps teams to embed the solution into a continuous integration (CI) tool chain that will verify that changes to applications remain aligned with security-policy requirements. The solution will quickly address mismatches early, before they impact the business.
Deploying production-grade applications in the public cloud exposes new security challenges that used to be “someone else’s problem”. For instance, in an on-premise environment, local workloads alone have access to local file systems and databases. Securing access to storage is typically not considered part of network security but is the responsibility of the server or platform team.
This long-standing division of responsibility breaks down in cloud environments. Unlike in the data center, storage in the cloud is fundamentally network-accessible. To make matters worse, network security controls (firewalls, security groups, access lists, etc.), whether offered by the cloud platform (e.g., AWS, Azure) or 3rd-party cybersecurity provider (e.g., Palo Alto Networks, Check Point), offer no direct protection for cloud storage.
In 2018, we saw that this gap in responsibility brought many enterprises to the media’s front pages (Another Misconfigured Amazon S3 Bucket Exposes 48M Records).
In 2019, enterprises will take far-reaching steps—both organizational and technological—to mitigate this challenge. They will come to understand that securing cloud storage should be the responsibility of a new cloud network security team who will be tasked with visibility into and managing the dedicated security controls protecting cloud storage.
2019 is Upon Us
The coming year will indeed be one of major shifts in network security policy management caused by the growth of the hybrid estate. Considerable attention will be focused on cross-environment security that is agile, intelligently automated, and comprehensive.
We hope that our predictions will help you prepare for the coming year. In the meantime, make sure you download the White Paper here.
Receive notifications of new posts by email.