Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Softening the business impact of security management

By Paul Clark, AlgoSec.

Security is always walking a fine line between enabling the business, and acting as a brake on agility and productivity.  Unfortunately for many organizations, it seems that their security infrastructure has stepped over the line and is holding them back.  When we surveyed 240 infosecurity, network operations and application professionals in autumn 2013, we found they were struggling with managing their critical business applications effectively, because of the sheer complexity involved.

Over half of the survey respondents reported that they had over 100 critical business applications in their data center /centre.  This means a heavy workload of application connectivity change requests for IT teams, to enable those applications to keep up with the evolving needs of the business.  45 percent of respondents said they have to manage over 11 requests every week, and 21 percent have more than 20 changes per week. 

A majority of respondents (59 percent) said each request takes more than 8 hours to process, with nearly a third saying that each change takes more than one business day.  And the typical time needed to deploy a new data center application was over 5 weeks, and in some cases more than 11 weeks. 

The reason why these business-driven changes take so long is that the network and security requirements for just a single application may need multiple policy enforcement points and firewall rules, which in turn may be linked to several other applications.  This complexity means that a small connectivity change in a given application can create a ripple effect, and introduce potential vulnerabilities, or risk causing an outage.  In fact, earlier in 2013 we found that application-related firewall rule changes caused outages, breaches or cut network performance for 80 percent of respondents.

Cutting complexity, understanding risk
The problem is that the complexity in applications and networks can’t easily be taken out of the equation because of the connectedness of systems, and the resulting interdependencies.  It’s no surprise, therefore, that our latest survey showed a majority of organizations want to be able to prioritise network vulnerabilities by business application, instead of by network segment or device – so that they can better understand and manage the real business impact and potential risks arising from any changes that are made.

So how do security professionals and business personnel get the application-driven visibility they need and want, to help reduce the impact of change management on their workload, while keeping the business both more agile and more secure? 

One of the key reasons why managing business application changes is such a drain on IT resources is that in many cases, the IT teams have to manually discover the devices and rules affected by a potential change, and then understand any potential change in risk or compliance levels.  This is time-consuming, tedious and error-prone. 

Automating these processes can significantly boost accuracy, reduce risk and significantly reduce the time to process changes, helping organisations to respond faster to business issues.  Let’s look at how this can be achieved, using an example of a typical business application in a data center.

Automatic for the business
Let’s take for example a payroll application.  Before making any changes to the application (such as enabling remote access from a new branch office), it’s essential to understand everything that the application needs from a communications and connectivity perspective, such as FTP between different servers on the network, SQL links between the portal and the database, and so on.  Then it’s necessary to know which firewalls and rule-sets are used in controlling access to the application, and how these are affected by the planned change. 

The right security management solution should help to visualise the application’s ‘workflow’ (i.e. its connections, the devices it relies upon and touches, and so on) and help IT and application teams track down potential traffic or connectivity issues, highlight areas of risk, and the current status of compliance with policies across the organization’s firewalls and routers.  It should also automatically pinpoint the exact devices that may need changes, which rules need to be added or modified, and indicate how to make those changes in the most efficient and secure way.  Having a dashboard view of application workflow, its security needs and so on, helps reduce human error and minimises the possible introduction of risks and outages.

This makes handling applications changes easier, faster and more predictable for IT teams, reducing the drain on IT resource and accelerating the flow of business, while ensuring that changes don’t introduce new vulnerabilities.  The ability to better manage change through automation can significantly reduce the business impact of security management – making security an enabler, rather than an anchor.

The author
Paul Clark is AlgoSec’s Regional Director for UK, Ireland, South Africa & the Middle East.

•Date: 6th December 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here