AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type

How to Avoid a ‘Hotel California’ Security Policy Syndrome


Change is the one constant in network operations and security.  Business applications are always in a near constant state of flux – regularly being updated or migrated – which in turn means constant additions and updates to security policies and firewall rules. As a result, security policies become bloated. The problem is made even worse as old or obsolete policies and rules are rarely deleted, even after a business application or server has been decommissioned.  Yet, security policies that are not required for any business purpose can create open doors for unwanted guests – cyber criminals.

The end result is often a cluttered and unnecessarily extended network security policy, which weakens your security posture, impacts firewall performance and impedes regulatory audits and compliance. As I explained in a recent article for Information Age this is ‘Hotel California’ syndrome – policies and rules may checkout, but they never leave.  No wonder, then, that uncoordinated policy management was identified by analyst Gartner as one of the most common network security ‘worst practices’ earlier in 20151.

Tackling this issue is a challenge for network operations, security, and application owners alike.  The people who built the business applications, developed the security policies around them, and therefore know why these rules are in place, may no longer be with your company.  Documentation and records may be sketchy at best, with manual, non-scalable processes including spreadsheets or simplistic databases being used to handle this increasingly complex task.

Simplifying the policy puzzle

So how can you start to clean up your existing security policies and rules, to get rid of those that are old and obsolete, and track those which are most critical and relevant to your business?  Here are my suggestions for starting to clean up your ‘guest list’ of rulesets and policies, and evicting those that have outstayed their welcome.

  • Check-out how the rules are used: to do this, you need to implement logging and reporting with per-rule granularity, so that you can see exactly how often a rule is applied and when it was last used.  This is a feature of security policy management solutions:  they provide a range of reporting options that enables you to quickly identify the status of rules and objects.
  • Check-in new rules: when new rules are being set up, make sure everyone who does adds a comment on what the rule is for.  This will help to remind you and your team why it exists in the first place, when you come to review it at a later date.
  • Check-up on existing rules: examine firewall rules and application connectivity on a regular basis – for example, every 12 or 24 months – and reapprove those rules that are still in use while removing those which are no longer required.
  • Focus on your applications: rather than focusing solely on firewall ports and network protocols, ensure you understand and map firewall and router access rules to the business applications they support.  Solutions that manage application connectivity can automate and greatly simplify this process.
  • Automate your change request processes: Security policy automation solutions not only let you process changes faster and more accurately, they also document those processes automatically.  This gives you a searchable audit trail of your rules and policies, enabling you to establish, months or years later, who asked for them to be implemented and why, who made any changes to them, and the reasons for the change.

By checking-out and evicting obsolete firewall rules and policies, you not only simplify ongoing security management, as well as auditing and compliance, you also greatly improve your security posture and resilience against cyberattacks. To take a deeper dive into this security ‘worst practice’ among others, read our whitepaper on Mitigating Gartner’s Network Security Worst Practices.  With the right tools and processes, you can transform sprawling, messy ‘Hotel California’ rulesets into slick, 5 Star security policies that enable you to securely manage your business.

1 Gartner, “Avoid these “Dirty Dozen” Network Security Worst Practices,” January 2015

Subscribe to Blog

Receive notifications of new posts by email.