With So Many Firewalls and Rules, Most Security Administrators Have No Visibility Into What Each Application Requires...
Enterprise applications are the lifeblood of every organization – whether commercially available, homegrown or a combination thereof, no organization can thrive without the applications that run both its internal operations (email, HR, Finance etc.) as well as its customer and partner facing operations (E.g. Online banking if you’re a bank, or E-Commerce if you are an online retailer).
Much like Network Security, application development has seen a dramatic rise in complexity. Large organizations run hundreds if not thousands of applications, and new applications need to be introduced to the network or decommissioned on a weekly basis. Changes to existing applications are even more frequent, further contributing to the rise in complexity.
So where does security come in? Well, it is no secret that application vulnerabilities are a prime vector for attacks, and as such security practitioners focus a lot of their time on securing applications. But one aspect of securing enterprise applications often overlooked and almost always poorly handled in organizations is securing application connectivity!
Before we dive in to the problem, let’s briefly review the current efforts to secure applications:
• Static Analysis Software Testing (SAST) – Primarily a task of the application development group (although security practitioners would be wise to encourage or even mandate it). SAST tools have access to source code and/or binaries, and analyze them for potential security vulnerabilities. The result should be a more secure application development.
• Dynamic Analysis Software Testing (DAST) – A complimentary technology to SAST (although sometimes mistakenly viewed as a competitive/alternate technology). DAST tools detect security vulnerabilities in applications in running state.
• Web Application Firewalls (WAF) – Deployed to protect web applications, WAFs monitor HTTP conversations to protect against common attacks such as Cross-site Scripting (XSS) or SQL Injections.
So why is application connectivity a security issue? As we all know, modern applications are complex collections of web servers, application servers, databases and more. In order to operate, applications require complex connectivity between different components, and often even 3rd party sites. How is this done? You guessed it, by “poking holes” in firewalls and related security infrastructure.
But with so many firewalls and rules, most security administrators have no visibility into what each application requires –resulting in overly permissive security policies, which also include many rules for decommissioned applications that nobody dares to remove.
Here are some tips for improving application-centric security management:
• Document applications and their connectivity needs ¬- This can be done in CMDBs, excel sheets or other solutions as long as they can be maintained.
• Map firewall rules to applications – Whether you use comment fields, or more sophisticated automated tools, having this visibility will allow you to ensure the required application connectivity and only the required connectivity, is in fact enabled by the security policy.
• Think in application terms when it comes to change management – Most firewall changes are driven by applications (Isn’t that why you really want to allow “Service X” between two IP addresses?). Make sure you can associate all changes related to each application, so they can be removed when the application is decommissioned.
• Consider adding another arrow to your application security quiver – A new category of tools is emerging for application-centric security policy management. Organizations should evaluate these tools to see if they can make their enterprise applications more secure.
Complex connectivity requirements involve multiple parties, such as application owners and firewall administrators. Beyond the above tips, organizations should consider a culture change that involves breaking down the invisible walls that typically prevent these different stakeholders from effectively communicating with each other – all in the name of better security.