Everything you ever wanted to know about security policy management, and much more.
There’s a trending thought process that IT isn’t there just to support the business, but to drive the business (see my previous blog on this topic). Either way you look at it, in order for business to run smoothly in today’s environment, IT and the business must be aligned. What does this mean? First, IT itself must be aligned! While IT operations and security teams have unique responsibilities for ensuring that the business can run, there are times when they overlap and if they’re not aligned, business continuity suffers. Then IT as a whole must be aligned with the business. Here’s where things get tricky:
In order to achieve alignment across these teams, organizations must re-examine current security, operations and business processes and identify the areas where to add or enhance the necessary checks and balances -without impeding productivity. Here are a few tips:
Tip 1: Break down the organizational silos.
Application owners, network security and operations staff working in silos is a clear path to trouble and a major contributor to business disruption.
Tip 2: Automate processes.
This goes hand-in-hand with our first tip. Security change management usually falls down due to teams working in silos and due to manual, time-consuming processes, which typically result in a wide range of errors that may introduce risk, break connectivity or cause a wider outage. In AlgoSec’s “State of Network Security Survey 2013,” the findings showed that the biggest challenge of managing network security devices was process. You need to understand where process breakdowns occur so that you can make the necessary improvements. Ask yourself questions such as “Is it a matter of poor process?” and “Are the solutions in place not allowing the process to work as you want?” Identify these issues so that you can map out a plan of attack. By automating business processes, organizations can improve visibility, simplify and streamline the necessary checks and balances and not only improve security but also business agility (Think more changes processed…accurately). Sound process aided by automation enables the different stakeholders to more easily and effectively communicate with each other, respond to changing business needs more quickly and transparently.
Tip 3: Think in application terms when it comes to change management.
Most firewall changes are driven by business applications, but there is poor visibility tying the business needs with the underlying security policy. Make sure you have proper visibility from an application perspective and understand the impact of making an application change – to these applications and to the network – by making sure that you can associate all firewall change requests to the appropriate application. Just as many critical IT functions have evolved to become application-centric (because our networks and organizations are powered by business applications), so too must security policy management. You can read more on this in a recent SecurityWeek column “It’s All About the Applications“.
Tip 4: Find a common language.
The process of sharing, interpreting, and accurately translating the disparately stored application connectivity information into effective security policies essentially creates a gap between the network, security and the application teams. Opportunities to maximize application availability, reduce risk from unauthorized access and to unlock greater degrees of IT agility are often held back. IT departments have their own objectives and language that are used. Meanwhile, the networking team focuses on routing and connectivity while communicating in terms of subnets, IP addresses, etc. These different responsibilities and terminology result in the great divide with key requirements getting ‘lost in translation’. As a result, application and network outages are all too common, security is unreasonably compromised and network performance is negatively impacted.
Tip 5: Reduce complexity.
Complexity is a killer of security and agility. Today’s enterprise network has more business applications with complex, multi-tier architectures, multiple components, and intricate, underlying communication patterns that are driving network security policies. An individual “communication” may need to cross several policy enforcement points, while individual rules, in turn, support multiple distinct applications. This complexity typically involves hundreds, or even thousands of rules, with many potential inter-dependencies, configured across tens to hundreds of devices, which equally supports as many business-critical applications. The sheer complexity of any given network can lead to a lot of mistakes, especially when it comes to multiple firewalls with complex rule sets. Simplifying security management processes through automation and an application-centric approach is a must.
Receive notifications of new posts by email.