Reflect on the following and see if this seems familiar. Security teams exist in order to protect the business, while IT operations are focused on keeping systems up and running. You will also find application teams in the mix whose role is to ensure application consistency, availability and performance. The overlap between these teams can be quite tricky to navigate, but they are all there at the end of the day for the purpose of allowing a business to run. In order to achieve alignment across these teams, organizations must re-examine current security, operations and business processes and identify the areas where to add or enhance the necessary checks and balances -without impeding productivity.
To further explain this topic, we are featuring some perspective from Sam Erdheim, a Senior Security Strategist with AlgoSec, a software provider for network security policy management. These 10 tips make for a foundational unison of teams through better communications and strategy. Erdheim has more than a decade of product management and marketing experience in the IT software space, from email archiving to information security. Before moving to the network side, Sam previously spent his professional time in the endpoint security market, helping customers reduce their IT risk and improve productivity.
Tip 1: Break down the organizational silos.
Application owners, network security and operations staff working in silos is a clear path to trouble and a major contributor to out-of-band changes. Oftentimes the result is an outage, either to a critical application or to the network. While the DevOps movement has picked up momentum, it only involves developers and operations personnel – not security professionals. When it comes to making security changes, security, operations and application owners must all be on the same page. This means documenting and enforcing a formal security change management process that incorporates all of the key stakeholders. This allows for the proper checks and balances and the proper visibility from all angles (application connectivity needs, security and compliance checks, and broader network requirements).
Tip 2: Automate processes.
This goes hand-in-hand with our first tip. Security change management usually falls down due to teams working in silos and due to manual, time-consuming processes, which typically result in a wide range of errors that may introduce risk, break connectivity or cause a wider outage. By automating business processes, organizations can improve visibility, simplify and streamline the necessary checks and balances and not only improve security but also business agility (Think more changes processed…accurately). Sound process aided by automation enables the different stakeholders to more easily and effectively communicate with each other, respond to changing business needs more quickly and transparently.
Tip 3: Think in application terms when it comes to security change management.
Most firewall changes are driven by business applications. Understand the impact to these applications and to the network by making sure that you can associate all firewall change requests to the appropriate application. Just as many critical IT functions have evolved to become application-centric (because our networks and organizations are powered by business applications), so too must security policy management.
Tip 4: Find a common language.
The process of sharing, interpreting, and accurately translating the disparately stored application connectivity information into effective security policies essentially creates a gap between the network, security and the application teams. Opportunities to maximize application availability, reduce risk from unauthorized access and to unlock greater degrees of IT agility are often held back. IT departments have their own objectives and language that are used. Meanwhile, the networking team focuses on routing and connectivity while communicating in terms of subnets, IP addresses, etc. These different responsibilities and terminology result in the great divide with key requirements getting ‘lost in translation’. As a result, application and network outages are all too common, security is unreasonably compromised and network performance is negatively impacted.
Tip 5: Develop/enhance a standard operating procedure (SOP).
Identify areas such as change management and audits where both of these teams play a significant role. Develop or enhance/update a standard operating procedure (SOP) for how these two teams will work together on a typical day when crisis hits. This SOP will address day-to-day situations and will take into account the concerns of all teams. You also want to set up a taskforce with stakeholders from each of the departments. As you know, you can’t predict when users will make requests to the network by adding new applications or devices; however, you can prepare for dealing with those requests. You can minimize security risk from poor change or out-of-band change processes by designing plans with your counterparts that address these situations (or other ‘knowns’ such as network upgrades, change freezes and audits).
Tip 6: Define cross-team and individual goals.
Define management by objectives (MBOs) and performance targets that include both individual and higher level targets by working with your management and colleagues. Note that everyone will lose if security is compromised due to poorly configured change. Additionally, the business will lose if security requirements are so stringent that SLAs can not be met.
Tip 7: Build relationships and over-communicate with key stakeholders from other groups.
Schedule weekly/monthly/quarterly review sessions between the groups that focus on internal process improvements. By building relationships and over-communicating with peers from other teams, it not only creates awareness and enables joint decision-making, but it also will typically have a better reaction/response to friendly faces.
Tip 8: Use information to improve process.
In AlgoSec’s “State of Network Security Survey 2013,” the findings showed that the biggest challenge of managing network security devices was process. You need to understand where process breakdowns occur so that you can make the necessary improvements. Ask yourself questions such as “Is it a matter of poor process?” and “Are the solutions in place not allowing the process to work as you want?” Identify these issues so that you can map out a plan of attack.
Tip 9: Make sure you’re audit-ready.
Audits bring consternation to multiple teams. Not only do audits raise questions from outside, but they can often lead to distrust amongst different stakeholders if not managed well. A proactive approach and teamwork based on the above steps can make a huge difference. If you can ensure continuous audit-readiness by capturing the required information and being able to access it quickly, you not only increase visibility across all stakeholders but you can also reduce inter-department friction during “crunch time”.
Tip 10: Reduce complexity.
Complexity is a killer of security and agility. Today’s enterprise network has more business applications with complex, multi-tier architectures, multiple components, and intricate, underlying communication patterns that are driving network security policies. An individual “communication” may need to cross several policy enforcement points, while individual rules, in turn, support multiple distinct applications. This complexity typically involves hundreds, or even thousands of rules, with many potential interdependencies, configured across tens to hundreds of devices, which equally supports as many business-critical applications. The sheer complexity of any given network can lead to a lot of mistakes, especially when it comes to multiple firewalls with complex rule sets. Simplifying security management processes through automation and an application-centric approach is a must.
photo credit: jairoagua via photopin cc