You can’t manage what you can’t see, and when it comes to security controls, complexity is the enemy of visibility.
FireMon’s 2019 State of the Firewall report uncovered a great deal of complexity related to firewall deployments at organizations of various sizes. Almost 33 percent of survey respondents reported they have between 10 and 99 firewalls, while 30.4 percent of them reporting they had a hundred or more firewalls on their network. Almost 78 percent are using two or more different vendors for enforcement points on their network. Nearly 60 percent have firewalls deployed in the cloud.
The good news is respondents know they have a problem—complexity of firewall rules and policies was cited as one of five top challenges they face, as was managing multiple vendors and types of firewalls. The bad news, however, is respondents reported limited visibility into problem-causing complexity, and it’s putting their compliance at risk.
This lack of visibility into complex hybrid network environments comes on the heels of the Capital One breach, which albeit was caused more so by misconfiguration and lack of automation, but is an example of how organizations are rapidly deploying applications in public clouds and not tracking deployments diligently enough. Some are even bypassing their traditional network security teams to define the security controls around cloud deployments. Since the security team isn’t involved in the process, they have no visibility into these increasingly complex, multi-cloud environments.
Complexity is a Compounding Problem
The bigger challenge is that complexity is dispersed across the entire network infrastructure. Visibility is a problem in general, not just limited to security controls.
But from a firewall perspective, it’s not just the sheer numbers creating complexity, it’s a general absence of good security hygiene management. As policies bloat, unused rules gestate, and overly permissive rules become more pervasive within the policies, there’s no way to have visibility if you can’t apply policy analysis to all these firewalls. The sheer volume of rules on the firewalls is growing exponentially. It’s not humanly possible to manage them all manually, so if you don’t have a solution for monitoring firewall growth and analyzing policy behavior, you’re flying blind.
It’s not just organic growth that’s compounding complexity. Mergers and acquisitions add to the lack of visibility as organizations ingest a wide array of security tools and policy-bloated firewalls from a variety of vendors, including legacy technology, as well as thousands of endpoints and assets that may or may not have been properly discovered when they were brought online. In addition, information gaps develop when tribal knowledge is not transferred between businesses entities and security experts are left in the dark during the transitions—not a good thing when organizations are already struggling with a lack of cybersecurity talent.
But whether it’s mergers and acquisitions, or ramping of cloud deployments, the velocity of business today makes it almost impossible to keep pace of what’s happening in the environment. This lack of visibility means complexity continues to grow unchallenged, and with it, the probability of human error and misconfiguration increases. Most of all, the risk to the organization goes up as well.
This complexity isn’t going away on its own. If it continues to go unchallenged as cloud-first digital transformation marches forward without adequate automation and visibility, then more and more misconfigurations and bloat are going to proliferate and lead to a level of complexity that has never been faced.
You Can’t Challenge Complexity if You Can’t See It
Getting a handle on complexity requires better visibility. You can’t control rapid firewall rule growth if good insight into policy behavior is missing. Nor can you apply appropriate security controls around application deployments if those newly deployed assets are not diligently tracked and align to a centralized security policy. It’s not just about managing growth either. It’s about optimizing what you have. You need real-time visibility into changes so you can optimize existing firewall rules and security controls.
Security not having parity with the velocity of business also means that firewall rules are constantly being made redundant without ever being tossed out. Given that most firewalls are sequential in nature, it means organizations are ending up with a firewall policy that has 40,000 rules in it, and the rule that’s being hit the most is 39,999. So, if 70 percent of your traffic is transferred across that rule, it also means 70 percent of the time CPU cycles are being used to analyze 39,998 rules before traffic is ultimately passed.
Lack of visibility and complexity not only means your firewall is working harder than necessary, but the rising tide of all these unused, redundant, duplicate, and overly permissive rules is poking away at the dam, which eventually breaks. The firewall gets breached due to overly permissive access and a manifestation of complexity that couldn’t be seen.
Compliance Must be Certain
If you want to reduce complexity, you must be able to analyze and optimize security controls continuously and automatically align to a global security policy. Your security teams must have complete visibility across the entire infrastructure, and C-level executives must have absolute certainty they’re always compliant.