In my previous SecurityWeek column, I wrote about Managing Security with the Business in Mind and discussed briefly the importance of taking an application-centric approach to security policy management. I’d like to drill down into that a bit more because critical applications fuel the business and oftentimes there is a disconnect between the business requirements and the security policy. Aligning the two will ultimately improve security (i.e. safely remove firewall rules no longer in use by decommissioned applications) and allow IT to keep up with the dynamic needs of the business (i.e. process changes much more quickly and enable faster service delivery). The problem is, it’s not that simple!
To quickly recap, complexity is a killer of security and agility. Yet complexity rules our networks. As businesses have become more application-centric in terms of processing and storing critical data, the way these applications talk to other components in the network has become much more convoluted. A synch point for just one application may need to cross multiple policy enforcement points and individual firewall rules may support multiple applications. We’ve spun a web of complexity with many interdependencies across what can amount to thousands of rules across hundreds of devices, spread out all over the world. You get the point.
The sheer complexity of any given network and all of these application-related interdependencies can lead to a lot of mistakes – whether opening security gaps or most likely causing outages and disruptions to key applications, segments of the network or even possibly the entire network. According to recent research, application-related firewall rule changes cause outages, breaches and/or decreased network performance for 80 percent of responding organizations.
Applications Drive the Business
The first step is to recognize that we’re in an application-driven business environment. If a critical application is down or performing at a non-peak level, the business will suffer. At a technical level, it’s understanding that most firewall changes are driven by business applications and understanding the impact to these applications and to the network by making sure that you can associate all firewall change requests to the appropriate application. The change process is where things often fall down (as noted by the 80% metric noted above). Today’s enterprise systems have become super-interconnected to other systems both inside and outside of the company walls and having visibility of all of this is very important – both from the perspective of security professionals and business personnel.
Applications Store and Process a Lot of Valuable Information
Step two is to recognize that valuable information – what the bad guys are after – is often stored behind vulnerable applications. Do you have visibility of the application connectivity needs and how data is flowing across your network?
Each business application within an organization should have an associated data classification so security personnel can effectively define controls around specific applications that are storing/using valuable data.
Since we all know we can’t possibly plug every hole in the dam it comes down to putting our resources to use in the most effective and efficient way possible so we get the biggest bang for our buck. Oftentimes, organizations spend a whole lot of time (and money) building strong security controls around applications containing public data which have minimal or no impact on revenue generation.
If we go back to the concept of managing security with the business in mind, security teams should be providing value to the business lines they serve. Too often this concept gets lost in the day-to-day grind, but the business is what provides our paychecks and at the end of the day everything security does should be to serve the business. Efficiently classifying data used by business critical applications is one effective way of doing just this.
Once classifications are in place, the next step is to map application data flows, including all egress and ingress data flows to enterprise systems. You can gain additional value by mapping vulnerabilities to these data flows to understand how an application is exposed (Tip – look for systems with sensitive data classifications with egress data flows to less secure systems). For example, a highly secured application that is storing or processing personally identifiable information (PII) is leaving data exposed if the application flow has the data moving to a vulnerable or poorly secured system.
The complexity of today’s networks, the business’ demand for always-on accessibility and availability, and the advanced threat methods being used today makes security tougher to manage than ever before. If we step back and look at this through an application-lens, we can set ourselves up for better security that enables the business to run effectively and efficiently.