Mind the Gap: Why Aligning Security, Operations and Application Owners Can Improve Security and Business Agility
By Paul Clark, AlgoSec’s Regional Director for UK, Ireland, South Africa & the Middle East
As the security policies required to protect today’s networks continue to grow in volume and complexity, manual approaches for managing them are rapidly becoming untenable. Such methods are simply too cumbersome, inefficient, and error-prone, resulting in increased cost, risk, and the inability for IT security and operations teams to keep pace with the needs of the business.
What organizations need instead is an approach that automates all phases of the policy management lifecycle, from initial creation and implementation to ongoing monitoring, change processing, and auditing. But that’s just the start. Just as many critical IT functions have evolved to become application-centric, so too must security policy management.
Ideally, it should be possible to manage security policies from the perspective of the business applications they are intended to support, as opposed to requiring an intimate knowledge of nebulous, network-level attributes.
Although networks and applications were once simple enough such that “allow service XYZ from IP Address 1 to IP Address 2” was sufficient, that is no longer the case. There are now far more enterprise applications – with complex, multi-tier architectures, far-flung components, and convoluted, underlying communication patterns – driving today’s network security policies.
In addition, any individual “communication” may need to traverse multiple policy enforcement points, while individual rules may, in turn, support multiple distinct applications. The net result is a far more complex scenario characterized by hundreds, or even thousands of policies, with many potential – but not always obvious – interdependencies, configured across tens to hundreds of devices, in support of equally as many business-critical applications.
By failing to evolve to address this increasing complexity, traditional solutions have also forced IT to adopt a less than ideal approach, where connectivity requirements for business applications are specified and maintained in completely separate repositories.
The challenge with these information stores – which include various databases, manually maintained spreadsheets and even the memories of individual administrators themselves – is that they are often out-of-date, unreliable, difficult to access, and in no way connected to or correlated with the policies that are ultimately configured. In addition, the process of sharing, interpreting, and accurately translating whatever information they do contain into effective policies is entirely too cumbersome and error-prone.
Mind the policy gap
This has essentially created a major gap existing between network, security, and applications personnel in IT departments, and holds back opportunities to maximise application availability, reduce risk from unauthorised access, and to unlock greater degrees of IT agility.
Within IT, each department typically has its own objectives and even language that it uses. Application developers and owners focus on features/functions, the different tiers/components of their applications, data, and ensuring broad accessibility. In many cases, they aren’t even concerned with underlying server hardware any more. Meanwhile, the networking team concentrates on routing and connectivity while communicating in terms of subnets, IP addresses, ports and protocols. And security professionals are consumed with threats, vulnerabilities, risks, compliance and – much to the chagrin of the application folks – strictly limiting which users have access to which resources. This all works well enough for the most part. It’s when these groups have to work together that problems arise.
All too often the differences in responsibilities and terminology result in key requirements getting ‘lost in translation’ – or simply being ignored due to a lack of understanding. As a result, applications end up ‘broken’ or inaccessible; security is unnecessarily compromised; and network performance is adversely impacted.
There’s a policy for that
Having a solution that incorporates an application-centric approach to security policy management alleviates this situation by accommodating each IT constituency and providing the means to fluidly translate and navigate between their different requirements.
What today’s organisations need to address this situation is an application-centric approach to security policy management – one that incorporates application connectivity management as an integral component, and enables the derivative policies to be managed from the perspective of the applications they support (rather than the networking attributes ultimately used to enforce them).
Overall, a solution that enables an application-centric approach to security policy management should help to further increase efficiency, avoid errors, and ensure that the connectivity needs of the business are met in an accurate and timely manner – bridging the gap between network, security, and applications teams to better serve the needs of the business.