In Star Trek: The Next Generation, whenever Captain Picard issues his famous command to ‘make it so,’ his instructions are executed seamlessly across the Enterprise, with just a few touches on the controls by the crew. Wouldn’t it be great if an organization’s latest business application or digital transformation initiative could be rolled out in the same automated, fast and trouble-free way?
Unfortunately, the reality for most enterprises is very different. Deploying a new application, or managing a cloud migration can take weeks until IT and security teams ensure that all the servers and network segments can communicate with each other, while keeping hackers and unauthorized users out. This is because the organization’s network includes hundreds of servers and devices (such as firewalls and routers) as well as virtualized devices in public or private clouds. And when making changes to them, it’s critical to ensure that the connectivity supporting the application isn’t broken, and that security gaps or compliance violations aren’t accidentally introduced.
Given the sheer complexity of today’s networks, it’s no surprise that many organizations struggle with this. Our 2019 survey of managing security in hybrid and multi-cloud environments showed that over 42% of organizations experienced application or network outages caused by simple human errors or misconfigurations.
What’s more, even routine tasks like network maintenance or fixing and outage is fraught with risk. This is because most organizations have large network security policies in place with thousands, or even millions of policy rules deployed on their firewalls and routers. Removing any of these rules is often a very worrisome task, because the IT teams don’t have an answer to big questions like ‘why does this rule exist, and what happens if we remove it?’ or ‘which applications are impacted when this device is powered off?’
Intent-based networking (IBN) promises to solve similar problems in aspects of networking that are not security related. The good news is that the intent-based approach can be extended to network security as well. Once security policies are properly annotated with the intent behind them, network tasks become much easier to understand and can be handled efficiently without risking outages or security holes.
The best time to annotate security rules with their intent is, of course, when the rules are originally created. However, most organizations did not use intent-based network security technologies, and over the years the network security policy grew without any intent annotations. Therefore, the right intent-based solution must also show, in retrospect, what the intent was behind the organization’s existing policies.
It’s a big ask – but it is possible to do all this with network security policy management (NSPM) solutions. These deliver on IBN’s promise of enabling automated, error-free handling of business-driven changes, and faster application delivery across heterogenous environments – without compromising the organizations’ security or compliance postures.
With AlgoSec, organizations can automatically discover and map all the business applications in an enterprise, by monitoring and analyzing the network connectivity flows that support them. AlgoSec labels the security policies supporting the applications – which in turn automatically identifies the intent behind the policies. AlgoSec also identifies the security devices and policies that support those connectivity flows across heterogeneous on-premise, SDN and cloud environments. This gives a ‘single source of truth’ for the entire network, storing all the application’s attributes in a single pane of glass, including configurations, IP addresses and policies.
With this holistic application and network map, AlgoSec enables business application owners to request changes to network connectivity for their business applications without having to understand anything about the underlying network and security devices that the connectivity flows pass through. The application owner simply makes a network connectivity request in their own high-level language, and the solution automatically tracks and retains the intent of the business application through the change request lifecycle.
As part of this process, AlgoSec’s solution assesses the change requests for risk and compliance with the organization’s own policies, as well as industry regulations. If the changes carry no significant security risk, the solution automatically makes them on all the relevant devices (including their intent annotation), and then verifies the process has been completed – with zero touch.
So normal change requests are processed automatically — from request to implementation — in minutes, with little or no need to involve the networking team. Manual intervention is only required if a problem arises during the process, or if a request is flagged by the solution as high risk, while enabling IT, security and application teams to continuously monitor the state of the network and the applications it supports.
With AlgoSec, organizations can realize the potential of intent-based network security, as they can:
These capabilities allow business application owners to express their high-level business needs to ‘make it so’, and automatically receive continuously maintained, secure and continuously compliant connectivity for their applications. They also enable IT teams to provision, configure and manage networks more quickly and more securely.
Watch our webinar to find out more about how AlgoSec’s network security policy management solutions delivers on the promise of intent-based networking without compromising on security or compliance.
Receive notifications of new posts by email.