In today's interconnected environment, no large organization can run without the applications that run both its internal operations (email, HR, Finance etc.) as well as its customer- and partner-facing operations (E.g. Online banking if you’re a bank, or E-Commerce if you are an online retailer). The challenge is that much like complexity that we've seen with network security, application development has also seen a dramatic rise in complexity. Think about the following:
The sheer volume of applications being run in large organizations is typically in the hundreds if not thousands
New applications are regularly being introduced to the network or decommissioned
Changes to existing applications occur at a frenetic pace
Complex connectivity requirements involve multiple parties, such as application owners, network operations and firewall administrators with pertinent information siloed off in different corners of the business
With everyone hopefully understanding the challenge of managing the volume of applications and the pace and volume of changes involved, let's dig into the complexity around application connectivity requirements. In order to operate, applications require complex connectivity between different components, and often even 3rd party sites. And in order to make these connections, you have to “poke holes” in firewalls and related security infrastructure.
But with so many firewalls and rules, most security administrators have no visibility into what each application requires –resulting in overly permissive security policies, which also include many rules for decommissioned applications that nobody dares to remove. As more applications are brought onboard and as connectivity requirements continue to increase in complexity, here are some tips to improve application-centric security management:
Document applications and their connectivity needs - This can be done in CMDBs, excel sheets or other solutions as long as they can be maintained.
Map firewall rules to applications – Whether you use comment fields, or more sophisticated automated tools, having this visibility will allow you to ensure the required application connectivity and only the required connectivity, is in fact enabled by the security policy.
Think in application terms when it comes to change management – Let's face it, most firewall changes are driven by applications (Isn’t that why you really want to allow “Service X” between two IP addresses?). Make sure you can associate all changes related to each application, so they can be removed when the application is decommissioned.
And now a word from our sponsor.... Consider adding another arrow to your application security quiver – A new category of tools is emerging for application-centric security policy management. We are at the forefront of this movement with our announcement of BusinessFlow (part of the AlgoSec Security Management Suite), which allows translates application connectivity requests from application terms into required rule changes, and provides the necessary visibility and understanding of the impact of security policy changes on application availability and vice-versa. With a solution like BusinessFlow, security policy management for business applications can now be centralized and automated throughout their entire lifecycle, from deployment to ongoing maintenance and decommissioning.
Beyond the above tips, organizations should consider breaking down the invisible walls that typically prevent the different stakeholders (application owners, security admins, network operations) from effectively communicating with each other. By doing so, you may just end up with more efficient operations and better security.