How do I select a policy automation solution for my business?

Organizations nowadays have to meet a growing number of regulatory, compliance and legal requirements. The more complex an organization is, the more time consuming these requirements become, especially for security teams.

A policy automation solution can greatly simplify this process, allowing security teams to deal with more important issues.

To select a suitable policy automation solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Ruvi Kitov, CEO, Tufin

When tackling policy automation for your organization, there are a few key things to remember. To begin with, before you even choose and implement a policy automation solution, you’ll need to ensure you have a deep understanding of your network’s topology. This is critical because you need accurate information in order to automate correctly. If you only end up automating accurately 50% of the time, then the solution can never be trusted.

When choosing solutions, be sure that the options you’re considering are based on a well-defined unified security policy that can be built automatically by the solution. Many organizations do not have a well-defined policy before they begin automating – and that’s OK – as long as the solution chosen can help them to solve this problem.

The other important critical functionality to consider when choosing a solution is whether it has the ability to scale. The network and cloud environment you’re dealing with today may not be the environment you have tomorrow. The policy automation solution should easily expand as new network and cloud security controls are added. Finding a solution now that has the ability to easily scale alongside your company’s growth will save you headaches in the future.

Haywood Marsh, General Manager, NAVEX Global

Good security is security that’s easy to follow. As a result, organizations should seek solutions that automate the policy compliance process, allowing the business to seamlessly meet regulatory, legal and operational requirements. While the web of regulations, contractual obligations and industry standards continues to grow, policy automation should help abstract the noise, allowing teams to consolidate policies and controls that help ensure ongoing compliance.

When selecting a policy automation solution, organizations should look for features that enable automation of the policy lifecycle and workflow to operationalize compliance and risk management—including drafting, editing, approving, distributing, gaining employee attestation, linking controls to policies, testing and remediating those controls and maintaining an auditable database of records. Moreover, policy automation should include a unified repository store of compliance mandates and policies and empower the team with operational and security controls that are mapped to regulations, standards and even contracts.

Automation should help facilitate the management of compliance efforts while mitigating risk–enabling organizations to map IT risks to business risks for a holistic perspective. Last, I urge organizations to consider a solution that helps them achieve ongoing compliance by assessing new assets as they’re added to the environment, continuously monitoring and alerting to change that would move systems out of compliance, and one that actively reflects new policy updates as they are made.

Justin Silverman, SVP of Product Management and Product Strategy, Mitratech

Policy automation begins first with a structured process for developing, reviewing, approving and publishing policies.

For this stage, a strong policy automation solution should have:

• A single repository for all policies within the organization
• Robust tools for review and collaborative editing
• Automated workflows for approval routing
• Auditable history of edits and policy approvals

The second stage for policy automation is the distribution of policies and the associated affirmations, knowledge testing, and data collection. Buyers should be looking for:

• Tools for employees to formally accept the policy requirements or raise exception requests
• Assessment and/or training capabilities to validate that the employee understands the policy
• Automated policy-related processes that trigger on events such as new hire onboarding
• Ability for employees to submit forms or documents related to policies, such as gift disclosures

Finally, buyers of any automation software should be looking for applications that are flexible and easy-to-use. Workflow tools that are no-code or low-code, that integrate with multiple in-house systems (e.g. sharepoint), and that have simple analytics are often the most flexible. With an intuitive solution you can virtually eliminate the need to train internal staff and also drive adoption throughout the organization, thereby maximizing ROI.

Avishai Wool, CTO, AlgoSec

Digital transformation compels application development teams to move quickly in order to launch large-scale initiatives such as microsegmentation, infrastructure modernization or the move to the cloud. The challenge with trying to move faster is defending against the ever-growing onslaught of security threats. Thus, an intelligent policy automation suite must speed up application deployment without sacrificing any security requirements.

All stages in the application delivery pipeline need to work smoothly. By choosing an app-centric policy automation platform that lives at the intersection of network infrastructure, security policy and applications, an organization can align their DevSecOps with application delivery, meaning projects get completed quicker and changes work as intended.

It’s also key to find a solution that can automate security policies across the entire application delivery pipeline, from build to monitoring and reporting, mitigating risk without compromising agility, with powerful API capabilities. The solution should provide a documented audit trail across both cloud and on-premise environments and support all the relevant network security technologies in use by the organization. And – a good policy automation suite needs to include methods to discover the connectivity requirements of existing applications.