IT disaster recovery, cloud computing and information security news

Implementing a lifecycle approach to network security policy management can speed up application deployment, whilst strengthening security and compliance says Joanne Godfrey…

Sometimes, it seems that IT security teams just can’t win.  They are judged on how they enable digital transformation initiatives and innovation, and are tasked with introducing new technologies to improve productivity and enable faster responses to market changes.  But they’re also expected to safeguard the organization’s critical applications and data in an increasingly complex threat landscape – which means they’re often seen as an obstacle to innovation and business agility.

This is particularly true when it comes to provisioning business application connectivity. When an enterprise rolls out a new application or migrates an application to the cloud, it can take weeks or even months to ensure that all the servers, devices and network segments can communicate with each other, and at the same time prevent access to hackers and unauthorized users.

This is in part because the infrastructure of even a medium-sized enterprise can include hundreds of servers and network devices such as firewalls and routers – and the addition of virtualized and hybrid cloud architectures only serves to compound this complexity. 

Then there is the never-ending cycle of application updates and changes.  For every single change, network and security teams need to understand how it affects the information flows between the various firewalls and servers the application relies on, and change connectivity rules and security policies to ensure that only legitimate traffic is allowed, without creating security gaps or compliance violations.

What’s more, communication between business and technical stakeholders is often lacking.  This isn’t too surprising:  each group speaks its own language, with application teams talking about business-level requirements, while network and security teams need to understand traffic flows, IP addresses and protocols.  Important information is siloed, with each group using its own tools for tracking business requirements, network topologies and security and compliance policies.

A brake on agility?

The result is that many enterprises take an ad-hoc approach to managing application connectivity:  they move quickly to address the needs of high-profile applications or to resolve imminent threats, but have little time left over to maintain network maps, document security policies, or analyze the impact of rule changes on applications. 

This haphazard approach contributes to delays in the release of applications, can cause outages and lost productivity, increases the risk of security breaches and acts as a brake on business agility.

However, it doesn’t have to be this way.  IT security does not have to accept more business risk to satisfy the demand for speed.  By managing application connectivity and network security policies through a structured lifecycle methodology, security teams can capture of all the major activities that should be followed when managing change requests that affect application connectivity and security policies.  This in turn enables applications to be deployed quickly and securely. 

Let’s look at each of the five stages involved in implementing this lifecycle approach:

1. Discover and visualize

The first stage involves creating an accurate, real-time map of application connectivity and the network topology across the entire organization, including on-premise, cloud and software-defined environments. Without this information, IT staff are essentially working blind, and will inevitably make mistakes and encounter problems down the line.  Security policy management solutions automate the connectivity discovery, mapping, and documentation processes for applications across the thousands of devices on networks - a task which is enormously time-consuming and labour-intensive if done manually.  In addition, the mapping process can help business and technical groups develop a shared understanding of application connectivity requirements.

2. Plan and assess

Once the business has a clear picture of its connectivity and network infrastructure, it can start to plan changes more effectively:  ensuring that proposed changes will provide the required connectivity, while minimizing the risks of introducing vulnerabilities, causing application outages, or compliance violations.

Typically, it involves translating application connectivity requests into networking terminology, analyzing the network topology to determine if the changes are really needed, conducting a proactive impact analysis of proposed rule changes (particularly valuable with unpredictable cloud-based applications), performing a risk and compliance assessment, and assessing inputs from vulnerabilities scanners and SIEM solutions.  Automating these activities as part of a structured lifecycle process keeps data up-to-date, saves time, and ensures that key steps are not omitted – helping to avoid configuration errors.

3. Migrate and deploy

Deploying connectivity and security rules can be a labour-intensive and error-prone process.  Security policy management solutions automate the critical tasks required, including designing rule changes intelligently, automatically migrating rules using intuitive workflows, and pushing policies to firewalls and other security devices – with zero-touch if no problems or exceptions are detected.  Crucially, the solution can also validate that the intended changes have been implemented correctly.  This last step is often neglected, creating the false impression that application connectivity has been provided, or that vulnerabilities have been removed, when in fact there are time bombs ticking in the network.

4. Maintain

Most firewalls accumulate thousands of rules which become outdated or obsolete over the years.  Bloated rulesets not only add complexity to daily tasks such as change management, troubleshooting and auditing, they can also impact the performance of firewall appliances, resulting in decreased hardware lifespan and increased TCO.

Cleaning-up and optimizing security policies on an ongoing basis can prevent these problems.  This includes identifying and eliminating, or consolidating redundant and conflicting rules; tightening overly permissive rules; reordering rules; and recertifying expired ones. A clean, well-documented set of security rules helps to prevent business application outages, compliance violations, and security gaps, and reduces management time and effort.

5. Decommission

Every business application eventually reaches the end of its life:  but when they are decommissioned, their security policies are often left in place, either by oversight or from fear that removing policies could negatively affect active business applications.  These obsolete or redundant security policies increase the enterprise’s attack surface and add bloat to the firewall ruleset.

The lifecycle approach reduces these risks. It provides a structured and automated process for identifying and safely removing redundant rules as soon as applications are decommissioned, while verifying that their removal will not impact active applications or create compliance violations.

Benefits of the lifecycle approach

The lifecycle approach enables organizations to structure their application connectivity management activities logically, which reduces risks by ensuring that the right activities are performed in the right order, consistently.

For example, failing to conduct an impact analysis of proposed firewall rule changes can lead to service outages when the new rules inadvertently block connections between components of an application.  A lifecycle approach helps to ensure this does not happen. 

By utilizing repeatable and automated processes organizations can respond faster to changing business requirements while reducing errors.  These structured, documented processes also make audit preparation and compliance work much easier.

Finally, it facilitates improved communication and collaboration across IT groups and senior management.  It helps bring together diverse application delivery, network, security, and compliance teams to ensure that infrastructure and security changes truly serve the evolving needs of the business – enhancing agility without introducing risks.

The author

Joanne Godfrey is director of communications at AlgoSec.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.