Introducing FireMon Policy Analyzer Learn More

COMPLIANCE & SECURITY MYTH #3: It’s Better To Block Than To Permit Access

This is part 3 of a 4-part series addressing compliance myths and what you need to know about uniting compliance and security in a hybrid environment. Read myth #2 here.

One of the oldest security practices is to “just say no.” Businesses engaged in digital transformation can’t take that path. They have internal and external users, APIs, and IoT devices that all need access to their networks. They can’t wave the white flag because compliance and access control are difficult and time-consuming for them. They have to give thoughtful consideration to the reasons and outcomes of granting appropriate access.

The trouble with just saying no is that it skips the step of defining business requirements and jumps to the step of establishing an optimized security posture. This is surprising, because defining business requirements for access seems like it would be pretty straightforward, a simple question of who needs access to what and why they need it.

Yet businesses rarely have a formal process in place to determine access, or to remove access once its business need has ended—and overly prescribed access is just as dangerous as unnecessary access. There is a disconnect between network security operations, IT management, compliance professionals, and line-of-business managers, and this gap not only heightens the security risk, it puts the brakes on speed to market.

So access control is not only a technological puzzle. It’s an organizational problem.

Plan Well and Let Automation Handle the Rest

Modern-era firewalls are designed around a positive security model, which means they deny all access that is not administratively permitted. Every rule added to the firewall is a decision to permit more access – and to accept more risk. In addition, every rule that is added must be processed whenever it’s called into play, which can degrade performance.

There’s no easy way to evaluate every individual rule in today’s environment, where business needs are continually accelerating and increasing numbers of endpoints and devices need fast access to the network. Security policy automation can process a policy quickly and reliably while ensuring that rules don’t conflict with each other.

But the firewall will only be as secure as its global security policy allows, so that policy must be carefully planned. In broad strokes, the steps of the planning process are:

  1. Lay the groundwork. Start by determining an acceptable level of risk and solicit input from both technology and business stakeholders. A rough draft of a map that shows which resources will be accessed and which endpoints or devices will be using those resources should be developed at this stage.
  2. Establish governance. Identify key stakeholders and their responsibilities in the planning process. Set timelines and milestones. Continue to develop the resource map.
  3. Identify guiding principles based on security and business needs. But don’t neglect to attend to user needs as well. As every security professional knows, users will find a way around overly-restrictive controls, and that can expose the organization to hidden risk. When appropriate, communicate decisions across the organization to get and keep users on board. Your resource map should be well-evolved by now.
  4. Follow the best practice of Least Privilege. Least privilege only gives enough access to an endpoint or device that it needs to perform its tasks. Keep track of whether endpoints and devices are using all their privileges and take away access to assets they are not using. FireMon network security policy automation can track activity and either automatically remove unused privilege or send an alert to a human for further action.
  5. Check for redundancies. There may already be an appropriate access control in place, and duplicating it will create risk and reduce manageability. If a network securiyt policy automation solution like FireMon is in place, skip this step. FireMon does this automatically.
  6. Automate periodic reviews. Rules should be reviewed on a regular basis and subjected to vulnerability scans against the applications running their control functions. Logs should be collected and monitored for violations. Again, if using FireMon, these activities will occur automatically.


Learn the Truth about the 4 Myths of Security Policy Compliance
Download the ebook now


Security Policy Automation Manages Your Rules for You

Managing firewall rules has been an intensely manual and fragmented process. The stakes are high if an organization does a poor job of it – in fact, a large number of today’s data breaches can be directly traced to weak firewalls, and Gartner forecasts that 99 percent of breaches in the next few years will be attributable to human errors in firewall configurations.

FireMon is the first solution that actively addresses and automates firewall security.

Developed with direct input from our largest and most sophisticated customers, FireMon delivers pragmatic benefits and total ROI in just months.

Our Agile NSPM platformprovides comprehensive security intelligence that improves enforcement of network security infrastructure and drives strategic decisions based on current requirements. Incluthe ability to rapidly gather data and validate rule requests, as well as eliminate unneeded rules and make implemented rules more targeted, productive, and effective while maintaining the highest levels of security control.

Some of Agile NSPM’s capabilities include:

  • Integrated business workflow. Optimizes rules for access requirements and aligns rules with security policies and controls. Multiple Business Process Model and Notation (BPMN) 2.0-compliant workflows can be deployed
  • Automated rule recertification. Monitors and maintains ongoing and/or audit event-driven justification reviews, as well as impact assessments for rule adjustment or retirement.
  • Proactive guidance and enforceable accountability. Automatically creates change tickets for removable rules and invokes application-level recommendations, adding lists of relevant applications and configuring workflow based on application and owner-based rule properties, such as destination and service.
  • New workflow process and UI. Provides a business-driven rule/device management interface to engage business stakeholders, improve performance, and document processes for best–practices development.
  • Asset- and entity-centric policies. Adapts policies to business needs by following the user, service, host, and data to conform to your compliance standards.
  • Ongoing analysis. Exposes compliance slips, enables quick course-correction, and triggers actions to regain compliance.

Automation Delivers a Balance between Access and Risk

The lesson from this myth is that the alleged silver bullet of blocking has the potential to backfire. However, with careful and consistent data-driven analysis, compliance and security personnel can spot any failure and quickly remediate in real-time.

We do not need to withhold access to vital assets and information in our hybrid networks, nor do we need to open the floodgates to any and all who demand it. A balance can be found.

About the Author

You May Also Like

Asset Visibility: A Critical Component of Security Hygiene

As the world becomes increasingly digitized, cybercrime has become one of the most significant threats that organizations face. Environments are expanding at a rapid pace and cybercriminals are always looking for new ways to exploit vulnerabilities in computer systems and networks, making security hygiene a high priority for preventing attacks.

Read More >

FireMon Cloud Defense Introduces Free Enterprise-Scale CSPM

FireMon is incredibly excited to introduce the industry’s first completely free unlimited CSPM for any size cloud deployments. A curated subset of features from our Cloud Defense platform designed to help cloud customers identify and manage baseline security and compliance risks. At FireMon we believe all organizations and individuals deserve

Read More >

Get 9X Better

See how to get:

90% Efficiency Gain by automating firewall support operations

90%+ Faster time to globally block malicious actors to a new line

90% Reduction in FTE hours to implement firewalls

Schedule a Demo