Today’s businesses must be able to rapidly adapt to changing market conditions – to support a new venture, merger/acquisition, etc. As business needs change, so too must the underlying security policies.
For example, while a firewall filters network traffic, it also enables connectivity needed by critical applications to function properly. As the security policies required to protect networks, applications and data continue to change and grow in number and complexity, it’s becoming almost impossible to manage them manually. It’s simply too cumbersome, inefficient, and error-prone. The result is often increased costs, risk, and the inability for IT security and operations teams to ultimately keep up with the speed of the business.
Here is where automation makes a BIG difference. An approach that automates all phases of the policy management lifecycle, from initial creation and implementation to ongoing monitoring, change processing, and auditing is important. But it’s just the start. Just as many critical IT functions have evolved to become application-centric (because our networks and organizations are powered by business applications), so too must security policy management.
The challenge is that historically, security and business requirements compete and thus we have the age-old dilemma of security or agility! Either the organization is more risk averse and has more limitations, which impact productivity or the organization is willing to take on more risk for the benefit of operational efficiency and agility.
But what if you could manage security policies from the perspective of the business applications they are intended to support? What if you were able to do this without demanding an intimate knowledge of detailed, hard-to-grasp network-level attributes – effectively aligning security with the business?
Here are some things to consider:
Underneath business needs is a whole lot of complexity
No longer is “allow service XYZ from IP Address 1 to IP Address 2” sufficient for critical applications in the network or datacenter. There are now far more business applications – with complex, multi-tier architectures, multiple components, and convoluted, underlying communication patterns – driving network security policies.
Additionally, an individual “communication” may need to cross multiple policy enforcement points, while individual rules may, in turn, support multiple distinct applications. Oftentimes this nets out to be an extremely complex scenario characterized by hundreds, or even thousands of policies, with many potential interdependencies, configured across tens to hundreds of devices, supporting equally as many business-critical applications.
As if this wasn’t complicated enough, organizations have adopted the “less than ideal” approach, where connectivity requirements for business applications are specified and maintained in completely separate repositories, managed by different owners with varying levels of information and accuracy and little to no correlation with the policies that must ultimately be configured.
IT and the business need to work hand-in-hand
I will repeat what I wrote in an article last year on how to better work with your network operations colleagues, and build upon it. The process of sharing, interpreting, and accurately translating the disparately stored application connectivity information into effective security policies is entirely too cumbersome and error-prone, essentially creating a gap between network, security, and applications teams. It holds back opportunities to maximize application availability, reduce risk from unauthorized access, and to unlock greater degrees of IT agility.
Within IT, each department typically has its own objectives and even language that it uses. Application developers and owners focus on features and functions, the different tiers and components of their applications, data, and ensuring broad accessibility. In many cases, they aren’t even concerned with underlying server hardware any more.
Meanwhile, the networking team concentrates on routing and connectivity while communicating in terms of subnets, IP addresses, ports and protocols. And security professionals are consumed with threats, vulnerabilities, risks, compliance and limiting which users have access to which resources (which is at odds with the accessibility and availability that application owners demand).
The differences in responsibilities and terminology result in the great divide with key requirements getting ‘lost in translation’. As a result, application and network outages are all too common, security is unnecessarily compromised, and network performance is adversely impacted.
All about the Applications
By taking an application-centric approach to security policy management, organizations can alleviate the overwhelming complexity that has been created by accommodating each stakeholder and aligning their many requirements. By enabling the underlying security policies to be managed from the perspective of the applications they support as opposed to the networking attributes ultimately used to enforce them, organizations can bridge the gap between network, security, and applications teams, increase efficiency and agility, and avoid errors that result in security risk or outages – all in the name of serving the needs of the business.
