In my role as editor-in-chief of DevOps.com I hear, read and write a lot about the need for all the various constituents of IT to work more closely together.
As such, I’m always happy to hear about a new efforts aimed at breaking down existing barriers to that end, or what I like to call “silo-busting”. So when I saw FireMon’s recent launch of its new Policy Optimizer module, and its ability to bust down silos, I’ll admit it brought a smile to my face.
Policy Optimizer specifically breaks down existing silos across different sectors of IT in determining what firewall rules are either out of date, no longer necessary or even security risks. Much of this silo-busting is accomplished via automation – which is added music to a DevOps advocate’s ears.
Why is all of this silo busting and automation so important? The short, real-world answer is that today’s speed of business will accept nothing less.
A more detailed answer is that in today’s world:
- Changes – including changes to code – happen multiple times a day
- “Web-scale IT” measures servers and instances in the tens of thousands
- Security must keep up or be left behind, always playing catch-up
- Automation and cooperation among Devs, Ops and QA is a necessity
And of course, breaking down silos is a key ingredient in successfully addressing these realities.
I’ve been hearing that we need security to be “built in, not bolted on” almost since I first got involved in the security industry over 15 years ago; that security needs a seat at the IT table.
Policy Optimizer is just the kind of solution that fulfills this specific need. It provides the means for security to work with the rest of the IT team in a way that makes sense and allows business to move forward with the velocity it needs.
Now before we declare “mission accomplished”, let’s not get ahead of ourselves. We still have a long way to go to better integrate security into IT and truly bust down the involved silos. We need developers to have a greater sense of ownership when developing secure applications.
Just thinking firewalls for a second, it would be great if developers gave some thought as to who, when and what types of access users will require when building an application. Giving developers a say in setting firewall rules, for instance, makes sense.
Beyond the development team, how about working closer with the Ops folks too? Who knows the network better? Far too often the Ops team resides in a different silo than security teams and they thereby seem to work at loggerheads.
Again, this is why I like tools like FireMon’s Policy Optimizer and Risk Analyzer solutions. They give Ops insight into security decisions and policies. Ops shouldn’t feel that security and risk strategies are devised using black magic. Shining a light on why security decisions are made, giving Ops input into the process is how you get buy in, how you really break down silos; most importantly, this demonstrates how we can tangibly change our security posture for the better.
For some organizations this is still a very alien concept. Security teams are almost thought of as audit teams and are purposely set apart from the rest of IT. To me, this perpetuates a culture of failure around security. All you have to do is glance at the headlines on a regular basis to see that the old way of separate security teams is not working.
We need new, more effective solutions and these solutions must take into account new ways of business. Megatrends like Big Data, the cloud and mobility have fundamentally changed the equation for many businesses. If security is to be relevant, it must adapt and evolve.
For me, breaking down the silos around the security team sounds the death knell of standalone security teams. I look forward to the day when instead of having a standalone security team, everyone in the IT department is part of the security team. I don’t know if that will happen in my lifetime, but every step along the way, such as Policy Optimizer, is a step in the right direction.
Now, what can we automate next?
As Editor-in-chief of DevOps.com, a regular contributor to Network World, manager of the Security Bloggers Network and Chief Executive Officer at The CISO Group, Alan Shimel is attuned to the world of technology, particularly cloud, security and open source. Prior to his current positions, Alan was the co-founder and Chief Strategy Officer at StillSecure. Shimel is an often-cited personality in the security and technology community and is a sought-after speaker at industry and government conferences and events.