Removing risk from network and security change management
“There is nothing wrong with change, if it’s in the right direction,” said Winston Churchill. But speak to a hard-pressed CSO or CIO, and they’ll tell you that any type of change is a potential risk. Most will happily take a lot less change in order to get better security.
The issue is that every new hire, every software patch or upgrade, and every network update opens up a security gap and increases the organization’s risk exposure. This situation becomes further complicated in larger organizations, which may have a mixed security estate comprising traditional, next-generation and virtualized firewalls from multiple vendors, all with hundreds of policies and thousands of rules.
Then there are unexpected, quick-fix changes, often requested by board-level staff, for access to specific resources or capabilities. In some cases, the change is made in a rush (who wants a C-level exec breathing down their neck because he wants to access the network from his new tablet right now?), without sufficient consideration of whether that change is allowable under current security policies, or if it introduces new exposure to risk.
Add to these internal issues the ever-growing number of external threats, from malware, hacking and social engineering exploits, it’s no wonder that both IT and security teams find change, although inevitable, introduces many more challenges than they would like.
So, how should security and IT teams work together to manage change and get better control of security-related change issues? How should they approach updating their complex security infrastructure and policies to ensure better system availability and security?
Let’s work together
The first step is to ensure that IT and security teams are working in harmony with each other. In many larger companies, routine IT operational and administrative tasks may be handled by a different team to that handling security and risk-related tasks.
Although both teams are working toward the same end, decisions made by one may lead to issues for the other – such as the earlier example of the executive wanting to add his new tablet to the network. Sometimes these situations can be dealt with in a rush, to get them out the way, with the full intention of dealing with any security issues afterward. But this latter, crucial element may get overlooked.
So it’s worth recognising the potential for these pitfalls, and implement measures to help improve coordination between different teams. You can’t always predict exactly when users will make requests to add new devices to the network, but you can certainly prepare a routine for dealing with those requests as they arise.
Bringing both teams together to prepare routemaps for these situations – and for other “knowns’ such as network upgrades, change freezes, and audits – helps to minimise the risk of these changes causing security holes.
To build these routemaps, it’s essential to understand your network’s topology, which can be extremely complex in multi-site, enterprise environments. Where are the main conduits and choke points for traffic flow? Where are the potential vulnerabilities? How are the various firewalls on the network configured, and what security policies and rules are active on those devices?
The answers to these questions help you to identify and target those areas with potential security gaps. However, the pace of ongoing infrastructure changes – not to mention the speed at which external threats evolve – means that manual, periodic network and risk assessments are simply not frequent enough to enable staff to keep up.
So as well as being able to visualise the network, you need near real-time responses to network issues, and the ability to quickly access all types of firewall and apply changes in a way that is both compliant with security policies and fully auditable. This demands automation for these critical, labour-intensive tasks.
Why automate these tasks? Put simply, organisations cannot afford not to automate. In 2011, we surveyed senior IT and infosecurity staff on their firewall management issues. 66% said that human error was the primary cause of network security outages – in other words, simple mistakes being made in manually assessing or applying firewall rules or policies.
Respondents also said that firewall management required the greatest investment of their time, as well as causing the most network disruptions. 73% cited a high number of changes as the main reason for their time investment in managing security gateways. The survey clearly highlighted several needs: a dashboard view of security, availability and compliance issues, a reduction in human error, and prioritised action points to help reduce critical risks.
Automation helps staff move away from firefighting and being bounced reactively between incidents, and helps them gain control. The right solution can help teams track down potential traffic or connectivity issues, highlights areas of risk, and the current status of compliance with policies across mixed estates of traditional, next-generation and virtualized firewalls. It can also automatically pinpoint the exact devices that may need changes, and show how to design and implement that change in the most secure way.
This not only makes firewall change management easier and more predictable across large estates and multiple teams, but also frees staff to handle more strategic security and compliance tasks, because the solution is handling much of the heavy lifting.
An additional benefit comes in optimising the performance of firewalls and gateways. Don’t forget, firewalls typically process their rulesets sequentially until they find one that matches traffic. How many rules have been added to your firewalls in recent years? Ruleset sprawl will drain performance. By filleting unused rules from your firewalls, and prioritising those rules that are most frequently used, you cut the amount of processing the device has to do.
So, constant changes don’t have to be a bugbear for IT and security teams. The ability to better manage change through automation can make a real difference to a company’s security stance.