Who Put That in Here? (And Who’s Going to Take It Out)

We continue our coverage of Gartner’s Network Security Worst Practices and how to mitigate them.

In this post we’ll cover the worst practice of “Uncoordinated Policy Management” which Gartner also nicely referred to as “firewall roach motel — rules go in, but they don’t come out“[1]. Helping organizations improve security policy management is obviously at the heart of what we do here at AlgoSec. In many ways, I feel this worst practice is really the aggregated result of many of the worst practices we have already covered, such as insufficient focus on business requirements and organizational misalignment. But at the end of the day, most of the ailments that result from poor security policy management are, according to Gartner, due to the “use of unsustainable and nonscalable tools and processes such as spreadsheets[2]” to address an increasingly complex task. As a result the network security policy is cluttered, and processes to add and remove rules are inefficient and error prone.

Here are just some questions we ask organizations that we work with. The reply is usually a nod… and a sigh.

• What happens to firewall rules when an application is decommissioned from the network? Do you safely remove them knowing that no other application is going to break?
• Have you ever suffered an application outage due to a firewall rule change gone wrong?
• Do you have difficulty understanding what the application team requires from the networking perspective when they deploy a new application or update an existing one?
• Do you have good understanding of the business reason for each firewall rule in place? How good is your documentation?

Notice the word “business” or “application” appears in every question. We have talked about the divide between operations and security teams. A potentially bigger divide exists between IT and application teams. This is the root cause of uncoordinated policy management.

Here’s how what you can do to transform the way you manage your security policy:

1. Adopt an Application-Centric Approach – Instead of focusing on ports and protocols, make sure you can understand and map the firewall and router access rules to the business application they support. This is not an easy exercise, and innovative solution for application connectivity management can greatly simplify this process.
2. Automate Change Control and Documentation – Leverage Security Policy Change Automation solutions to process changes more quickly and accurately. One, often overlooked, benefit of these tools is automatic documentation. As you are making each change, each step of the change, including the business reason for the request, the risk implications, and even the date it needs to be recertified is documented. This not only simplifies your next audit, it also makes information readily available to all, improving coordination.
3. Extend DevOps to Network Security – The DevOps movement is continuing to gain traction and for good reason. Better aligning IT and developers has many benefits. Look to extend the DevOps model to include security so that security people are involved early in the development process to better understand how to provision security for applications.

Policy management is uncoordinated at most organizations, but it doesn’t have to be. With the right tools and processes and, more importantly, with the conviction that things must change, every organization can take steps to make policy management a much more seamless process.

About the Mitigating Gartner’s Network Security Worst Practices Blog Series

In this special blog series we’re taking a deeper dive into the network security worst practices identified by Gartner, and are examining how each of the 9 worst practices that we specifically address can be mitigated using automated security policy management.

[1] Source: Gartner, Avoid these “Dirty Dozen” Network Security Worst Practices, by Andrew Lerner, Jeremy D’Hoinne, January 8, 2015.

[2] Source: Gartner, Avoid these “Dirty Dozen” Network Security Worst Practices, by Andrew Lerner, Jeremy D’Hoinne, January 8, 2015.