Connect with us

Hi, what are you looking for?


Application Security

Managing Security with the Business in Mind

Today’s businesses must be able to rapidly adapt to changing market conditions – to support a new venture, merger/acquisition, etc. As business needs change, so too must the underlying security policies.

Today’s businesses must be able to rapidly adapt to changing market conditions – to support a new venture, merger/acquisition, etc. As business needs change, so too must the underlying security policies.

For example, while a firewall filters network traffic, it also enables connectivity needed by critical applications to function properly. As the security policies required to protect networks, applications and data continue to change and grow in number and complexity, it’s becoming almost impossible to manage them manually. It’s simply too cumbersome, inefficient, and error-prone. The result is often increased costs, risk, and the inability for IT security and operations teams to ultimately keep up with the speed of the business.

IT Security Requirements for BusinessHere is where automation makes a BIG difference. An approach that automates all phases of the policy management lifecycle, from initial creation and implementation to ongoing monitoring, change processing, and auditing is important. But it’s just the start. Just as many critical IT functions have evolved to become application-centric (because our networks and organizations are powered by business applications), so too must security policy management.

The challenge is that historically, security and business requirements compete and thus we have the age-old dilemma of security or agility! Either the organization is more risk averse and has more limitations, which impact productivity or the organization is willing to take on more risk for the benefit of operational efficiency and agility.

But what if you could manage security policies from the perspective of the business applications they are intended to support? What if you were able to do this without demanding an intimate knowledge of detailed, hard-to-grasp network-level attributes – effectively aligning security with the business?

Here are some things to consider:

Underneath business needs is a whole lot of complexity

No longer is “allow service XYZ from IP Address 1 to IP Address 2” sufficient for critical applications in the network or datacenter. There are now far more business applications – with complex, multi-tier architectures, multiple components, and convoluted, underlying communication patterns – driving network security policies.

Advertisement. Scroll to continue reading.

Additionally, an individual “communication” may need to cross multiple policy enforcement points, while individual rules may, in turn, support multiple distinct applications. Oftentimes this nets out to be an extremely complex scenario characterized by hundreds, or even thousands of policies, with many potential interdependencies, configured across tens to hundreds of devices, supporting equally as many business-critical applications.

As if this wasn’t complicated enough, organizations have adopted the “less than ideal” approach, where connectivity requirements for business applications are specified and maintained in completely separate repositories, managed by different owners with varying levels of information and accuracy and little to no correlation with the policies that must ultimately be configured.

IT and the business need to work hand-in-hand

I will repeat what I wrote in an article last year on how to better work with your network operations colleagues, and build upon it. The process of sharing, interpreting, and accurately translating the disparately stored application connectivity information into effective security policies is entirely too cumbersome and error-prone, essentially creating a gap between network, security, and applications teams. It holds back opportunities to maximize application availability, reduce risk from unauthorized access, and to unlock greater degrees of IT agility.

Within IT, each department typically has its own objectives and even language that it uses. Application developers and owners focus on features and functions, the different tiers and components of their applications, data, and ensuring broad accessibility. In many cases, they aren’t even concerned with underlying server hardware any more.

Meanwhile, the networking team concentrates on routing and connectivity while communicating in terms of subnets, IP addresses, ports and protocols. And security professionals are consumed with threats, vulnerabilities, risks, compliance and limiting which users have access to which resources (which is at odds with the accessibility and availability that application owners demand).

The differences in responsibilities and terminology result in the great divide with key requirements getting ‘lost in translation’. As a result, application and network outages are all too common, security is unnecessarily compromised, and network performance is adversely impacted.

All about the Applications

By taking an application-centric approach to security policy management, organizations can alleviate the overwhelming complexity that has been created by accommodating each stakeholder and aligning their many requirements. By enabling the underlying security policies to be managed from the perspective of the applications they support as opposed to the networking attributes ultimately used to enforce them, organizations can bridge the gap between network, security, and applications teams, increase efficiency and agility, and avoid errors that result in security risk or outages – all in the name of serving the needs of the business.

Related: Network Security Considerations for SDN

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.