This is part 3 of a 4-part series addressing compliance myths and what you need to know about uniting compliance and security in a hybrid environment. Read myth #2 here.
One of the oldest security practices is to “just say no.” Businesses engaged in digital transformation can’t take that path. They have internal and external users, APIs, and IoT devices that all need access to their networks. They can’t wave the white flag because compliance and access control are difficult and time-consuming for them. They have to give thoughtful consideration to the reasons and outcomes of granting appropriate access.
The trouble with just saying no is that it skips the step of defining business requirements and jumps to the step of establishing an optimized security posture. This is surprising, because defining business requirements for access seems like it would be pretty straightforward, a simple question of who needs access to what and why they need it.
Yet businesses rarely have a formal process in place to determine access, or to remove access once its business need has ended—and overly prescribed access is just as dangerous as unnecessary access. There is a disconnect between network security operations, IT management, compliance professionals, and line-of-business managers, and this gap not only heightens the security risk, it puts the brakes on speed to market.
So access control is not only a technological puzzle. It’s an organizational problem.
Plan Well and Let Automation Handle the Rest
Modern-era firewalls are designed around a positive security model, which means they deny all access that is not administratively permitted. Every rule added to the firewall is a decision to permit more access – and to accept more risk. In addition, every rule that is added must be processed whenever it’s called into play, which can degrade performance.
There’s no easy way to evaluate every individual rule in today’s environment, where business needs are continually accelerating and increasing numbers of endpoints and devices need fast access to the network. Security policy automation can process a policy quickly and reliably while ensuring that rules don’t conflict with each other.
But the firewall will only be as secure as its global security policy allows, so that policy must be carefully planned. In broad strokes, the steps of the planning process are:
- Lay the groundwork. Start by determining an acceptable level of risk and solicit input from both technology and business stakeholders. A rough draft of a map that shows which resources will be accessed and which endpoints or devices will be using those resources should be developed at this stage.
- Establish governance. Identify key stakeholders and their responsibilities in the planning process. Set timelines and milestones. Continue to develop the resource map.
- Identify guiding principles based on security and business needs. But don’t neglect to attend to user needs as well. As every security professional knows, users will find a way around overly-restrictive controls, and that can expose the organization to hidden risk. When appropriate, communicate decisions across the organization to get and keep users on board. Your resource map should be well-evolved by now.
- Follow the best practice of Least Privilege. Least privilege only gives enough access to an endpoint or device that it needs to perform its tasks. Keep track of whether endpoints and devices are using all their privileges and take away access to assets they are not using. FireMon network security policy automation can track activity and either automatically remove unused privilege or send an alert to a human for further action.
- Check for redundancies. There may already be an appropriate access control in place, and duplicating it will create risk and reduce manageability. If a network security policy automation solution like FireMon is in place, skip this step. FireMon does this automatically.
- Automate periodic reviews. Rules should be reviewed on a regular basis and subjected to vulnerability scans against the applications running their control functions. Logs should be collected and monitored for violations. Again, if using FireMon, these activities will occur automatically.
Security Policy Automation Manages Your Rules for You
Managing firewall rules has been an intensely manual and fragmented process. The stakes are high if an organization does a poor job of it – in fact, a large number of today’s data breaches can be directly traced to weak firewalls, and Gartner forecasts that 99 percent of breaches in the next few years will be attributable to human errors in firewall configurations.
FireMon is the first solution that actively addresses and automates firewall security.
Developed with direct input from our largest and most sophisticated customers, FireMon delivers pragmatic benefits and total ROI in just months.
Our Agile NSPM platform provides comprehensive security intelligence that improves enforcement of network security infrastructure and drives strategic decisions based on current requirements. Include ability to rapidly gather data and validate rule requests, as well as eliminate unneeded rules and make implemented rules more targeted, productive, and effective while maintaining the highest levels of security control.
Some of Agile NSPM’s capabilities include:
- Integrated business workflow. Optimizes rules for access requirements and aligns rules with security policies and controls. Multiple Business Process Model and Notation (BPMN) 2.0-compliant workflows can be deployed.
- Automated rule recertification. Monitors and maintains ongoing and/or audit event-driven justification reviews, as well as impact assessments for rule adjustment or retirement.
- Proactive guidance and enforceable accountability. Automatically creates change tickets for removable rules and invokes application-level recommendations, adding lists of relevant applications and configuring workflow based on application and owner-based rule properties, such as destination and service.
- New workflow process and UI. Provides a business-driven rule/device management interface to engage business stakeholders, improve performance, and document processes for best–practices development.
- Asset- and entity-centric policies. Adapts policies to business needs by following the user, service, host, and data to conform to your compliance standards.
- Ongoing analysis. Exposes compliance slips, enables quick course-correction, and triggers actions to regain compliance.
Automation Delivers a Balance between Access and Risk
The lesson from this myth is that the alleged silver bullet of blocking has the potential to backfire. However, with careful and consistent data-driven analysis, compliance and security personnel can spot any failure and quickly remediate in real-time.
We do not need to withhold access to vital assets and information in our hybrid networks, nor do we need to open the floodgates to any and all who demand it. A balance can be found.