Security is from Mars, Application Delivery is from Venus

Men Are from Mars, Women Are from Venus by John Gray was one of the best-selling nonfiction books of the 1990s. It asserts that men and women essentially come from different ‘planets’, and need to seek out greater understanding of each other’s wants, needs and ways of thinking in order to cooperate better in relationships. In addition to providing great advice for romantic partners, I think it can also offer some important lessons for the world of corporate IT.

One of the book’s key sentences is: ‘If I seek to fulfil my own needs at the expense of my partner, we are sure to experience unhappiness, resentment and conflict.’ This could easily refer to the relationship between the security team and the application delivery team – they are key business partners and they need to work together for the organization to run smoothly. Yet their relationship is all too often characterized by a lack of communication and cooperation. To solve this problem, we need to carefully examine what each side of the partnership wants from the other – and then, how to fulfil those needs.

So, what does security want from application delivery?

Broadly, there are three main things that security teams want from application delivery teams:

• Clarity of business needs. Security wants application delivery to tell them what they want in terms of security and connectivity, and to give them advance notice. Crucially, these requirements need to be communicated in a language that the security team can understand and can implement.
• Visibility of business needs. Security wants to understand what application delivery is working on, how these applications need to communicate with each other, and to be able to assess any network and data risks.
• Assurance. Whenever the application delivery team is making or requesting changes to network access, the security team wants assurances. These include: (a) the connectivity requested is secure; (b) that this connectivity is compliant; and (c) that good governance is being supported, with a clear record of who did what, when, where and why, so that if an auditor comes along, they have answers to all these questions .

What does application delivery want from security?

On the other hand, there are three key things the application delivery team wants from the security team:

• Agility. App delivery team wants to work quickly and wants IT security to get things done now. Yet it often takes days, or even weeks, for crucial network changes to be processed by the security team.
• Availability of services. Nothing frustrates the application delivery team more than when the security team creates an outage due to, for example, a firewall misconfiguration – they want their applications up and running 24/7.
• Impact analysis ahead of changes being made. If a security policy change is going to slow down, or bring down an application, the delivery team wants to know about it in advance, so it can make the relevant adjustments.

How are we doing now?

Unfortunately, as in any relationship, neither side always gets exactly what it wants. One of the security team’s most common complaints about the application delivery team’s requests combines lack of clarity with unrealistic expectations: ‘You don’t know what ports you need open and for which IPs, but you need it by yesterday?’

And things aren’t any better for the application delivery team. On their side, the most commonly heard complaints relate to repeated availability problems: ‘The new firewall policy is blocking my application – for the third time this week!’

Statistics to support these complaints range from Gartner’s discovery that 99% of firewall breaches are the result of misconfigurations, rather than flaws, to our own survey results, whereby we discovered that eight out of 10 organizations suffered an outage from a misconfigured firewall rule.

Aligning the stars

It’s vital that organizations work to bring security and application delivery closer together – but how can this be achieved?

1. Complete, continually updated visibility – businesses need to be able to see their connectivity requirements across the entire environment – on premise and cloud. This requires a single pane of glass for both teams to see what the other has, what is needed, and ensure everything is enabled, operational and secure at all times. This allows the two teams to speak the same language, to use terminology that effectively communicates their needs and requests to the other side.
2. Automation – security teams need to embrace automation when it comes to change processes. This is the only way to deliver the accuracy and agility that application delivery needs, and as cloud and SDN environments become more commonplace, it’s becoming increasingly urgent.
3. Proactive risk analysis – security teams need to take a proactive approach to risk analysis, as well as analyze and effectively communicate risk from the business application perspective to all the stakeholders in terms that they understand.
4. Continuous Compliance – when network changes are happening at breakneck speed, a twelve month compliance cycle no longer works. Therefore you need to proactively ensure compliance every single time a network change is made.

Security policy management supports all these requirements, delivering a single version of the truth coupled with intelligent automation that is so crucial if security and application delivery are to work together effectively. There’s really no reason for the two teams not to live together in perfect harmony.

Take a look at the full infographic below: