So the day is finally arriving. Our ‘baby’ is getting married, the culmination of two years where we’ve saw him go through a different girl every week—or rather they went through him—some which met with his mother’s approval and most who did not until finally he came home with the one who most definitely did not! Only to discover that after two years he’s marrying a blond version of his mother so she now has total approval. Calum Macleod, Regional Director of Tufin Technologies, compares marriage to network compliance.
And the last few weeks have been the usual nightmare of organisation. Family arriving from all ends of the earth, all looking—like most Scots—for low cost (read ‘can we sleep on your floor— there’s only 25 of us’) accommodation. Trying to organise services, receptions, invitations etc., and through it all the groom is blissfully ignorant. In fact he just announced three days before the wedding that there’s a football game the night before the wedding which he’s planning to go to. Knowing his mother and his future wife, I think I’ve convinced him that this may not be the smartest move, for his own health.
But like most ‘users’, he is blissfully ignorant of what the simple statement ‘I’m getting married means’. A bit like the user who tells the IT department, ‘I just need access to a certain application.’ The simple request from a user can frequently create a nightmare for most security departments, especially when it means changing firewall configurations.
I mean where do you start? Before you even consider what needs changing you need to go through a process to confirm that a user is authorised to access the system; that somebody has approved the request; that the request complies with organisational policy; that the requested service is not already available. Almost daily I receive requests asking for connection to systems that already exist.
And it goes on. What impact will the change have on other services; how long should the service be available; where should access be allowed from. And once we’ve gone through all these considerations, somebody has to sit down and actually figure out the fine print. Like the wedding, some bright spark decided an order of service was necessary and who better to do this than the ‘computer expert’. So with poems and songs and liturgy coming from all sources, and in all formats, it’s been yours truly’s job to figure it out. And did I get it right first time. Oh no—it takes days to get it just right!
And this is frequently the nightmare for many firewall administrators. Converting a request into an actual change is not only time consuming, it is very often something that has to be redone because it has to be changed. Recently an acquaintance who is a firewall admin was having a crisis attack after he changed something on the firewalls at the weekend which caused a system to crash. He couldn’t make our lunch appointment because he wasn’t in the good books with his boss apparently, so was focusing on solving the problem—i.e. keeping his job. You might think that he could just reverse the process and that would be it, but it’s never that simple. Tracking changes is one of the biggest challenges for firewall admins.
The lack of automation and operational efficiency tools results in administrators spending most of their time on repetitive, manual tasks in an attempt to enforce corporate policies over many distributed infrastructure components. Security managers need to provide their staff with the necessary tools they need to automate repetitive components of the security lifecycle in order to reduce the time spent on time-consuming tasks and to invest resources more effectively. With automation, many manual analysis and auditing operations can be reduced from days to a matter of hours.
Recently Swisscom IT Service implemented an automated policy management solution with the result according to Swisscom that they now have ‘an unprecedented amount of visibility and control over firewall operations.’ The automation provided them with an overall snapshot of the state of their firewalls that enables them to operate in a much more agile, proactive, and strategic manner. According to Swisscom ‘We accomplish more in less time, with full confidence that we are operating in a secure, compliant fashion.’
Companies need to understand the business impact of network security and to demand a high level of transparency and accountability. At the same time, they are facing the need to comply with a variety of government, industry and regulatory security standards. As a result, companies are developing ever-more detailed and complicated security policies. Implementing them on the ground, over thousands of infrastructural components, is a time-consuming and error-prone process, especially when they continue to rely on outdated manual processes and not use the automation tools that exist.
To ensure that corporate security policies are implemented accurately and consistently, companies need to employ process automation to manage changes to security infrastructure. More than any manual process, change automation can ensure separation of duties and accountability. Every change to security infrastructure involves risk. As enterprise networks grow and become more complex, organisations struggle to ensure that routine security administration does not accidentally result in downtime or even business-level disruptions.
Organisations need automated risk analysis procedures that can proactively examine every change request in the context of both organisational security policy and current implementation realities. There’s no point having policies that are not being enforced on the ground. My car has a handbook that advices me to get it served every so often but if I don’t then the consequences are clear!
According to Greg Young from Gartner: ‘Compliance and complexity are driving the requirement for better capability in optimising the existing firewall rules base, and examining the impact of any proposed rule changes.’ And experts will tell you that poorly configured firewalls remain a significant risk for many organisations. It’s not the technology that’s at fault, but rather the configuration and change control processes that are neglected or missing altogether. Best practice suggests you should test and review your firewall configuration regularly, but many organisations fail to do this. So in a few days from now our baby will dress up and do his bit. Everything will be automated down to the last toast. Now where’s the speech I used last time?