AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Search in comments
Filter by Custom Post Type

Security Policy Management Maturity Model and the Benefits from Moving Up the Ladder: Part 1 of 4


In my first post on the Security Policy Management Maturity Model, I highlighted the challenges of network and security complexity and dynamic business requirements that must be addressed by IT in order for the business to remain competitive. In the forthcoming blogs, I’ll dig into each level of the maturity model and not only examine what each level means in terms of your organization’s environment, but also provide some tips for moving up the ladder and the benefits for doing so.

Now that we have that covered, let’s get started with level 1. Jeff Foxworthy has that joke “You know you’re a redneck if…” Well, the same concept applies here. You know you’re at level 1 if your security management practice is manual. Manual security policy management leads to loads of issues, mainly poor visibility, inefficient processes, no easy way to demonstrate compliance and a weakened security posture.  More specifically, if you can’t answer these questions in the affirmative, then you are at level 1:

Do you know why each firewall rule exists?

Typically the “knowledge” of why a rule was created or changed is in the brains of the administrator who created it. If the admin didn’t document the purpose of the rule (which happens all too often), can’t remember the reason or if they leave the company, there is no history to review and it is much harder to troubleshoot firewall-related issues, reduce risk and outages caused by rule changes.

Do you have full visibility of the impact to network traffic?
Organizations at this level often do not have an understanding of how the security policy impacts traffic flowing to and from the network which turns planning and troubleshooting into extremely complex tasks. Being able to generate an accurate map of network topology requires a major undertaking – and usually has gaps. For example, it’s one thing to have a “point-in-time view” like a Visio from last month, but it’s another to have it continuously updated.

Is your security change process automated and can you ensure the accuracy of changes?
Change management is an area where things can very easily break down. Organizations at the initial stages of security policy management have no sound way to enforce the security change process. This means multiple ways of processing changes, increased risk of misconfiguration and non-compliance, and a much slower process that impedes business agility.

Are you spending a significant amount of time and resources on audit preparation?
Regulatory compliance as well as internal mandates result in frequent firewall audits. Organizations at this level spent days and even weeks preparing their firewall for audits manually. Achieving compliance in this manner is not only time-consuming, but also short lived, as frequent changes can cause organizations to fall out of compliance shortly after the audit.

Are your firewall rule sets bloated, impacting troubleshooting efforts and audits as well as impacting firewall performance?
Security policies typically grow in size and complexity over time. Organizations at “Level 1” have bloated rule sets – rules added, but never deleted – because of the fear of causing an outage or a security risk by removing a rule.

Are you manually assessing your firewall policy for risk, if at all?
According to Gartner, “More than 95% of firewall breaches are caused by firewall misconfigurations, not firewall flaws.” Many organizations don’t understand the risks of enabling or disabling certain rules. A firewall without an effective policy doesn’t cut it.

If after reading this, you’re at level 1, as promised, here are 5 tips to help you move up the ladder:

  • Tip 1: Review (or create) documentation for firewall rules. This requires diligence, but it is well worth it and you can get started now.
  • Tip 2: Get an accurate picture of your network traffic. Without this information, you can’t be certain you understand what your policy is actually doing.
  • Tip 3: Define your ideal change management process. This is only a first step, but an important one that will get you on your way to moving up several levels.
  • Tip 4: Establish regular projects to clean up firewall and router rules and ACLs. This isn’t a can you can infinitely kick down the road.
  • Tip 5: Review risk analysis and compliance processes. Start to assess the benefits of automating these processes.

I hope you found this useful. In the next blog in this series we’ll examine Level 2 of the maturity model, as well as tips to continue to move up the ladder.

Subscribe to Blog

Receive notifications of new posts by email.