David Aminzade, Country Manager for Tufin Technologies: Is Having a Security Policy in Place Really Nine-Tenths of the Law?
April 2009 by Marc Jacob
Most large organizations maintain a detailed corporate security policy document that spells out the “dos and don’ts” of information security. Once the policy is in place, the feeling is of having achieved ‘nine-tenths of the law’, that is, that the organization is in effect ‘covered’. This is a dangerous misconception. Because much like in the world of law and order, while creation of law is fundamental, implementation and enforcement of law is what prevents chaos.
Ignorance of policy does not exempt from punishment — in this case in the form of security breaches
Recent studies have shown that most employees, including IT staff, are often unaware of corporate security directives or even tend to ignore them. Ignorance of corporate policy or simple incapability to implement and enforce it can leave networks wide open to major security breaches. This is not only costly to fix, but can also ruin a company’s reputation. Allowing the security policy become a ‘white elephant’ is just not an option.
This is easier said than done. For security administrators, implementing the corporate policy on the ground is a complex and extremely time-consuming job. It starts with translating the guidelines into hundreds and even thousands of rules on a multitude of security devices. Dozens of configuration change requests come in every day, and administrators are required to manually check every single one to make sure they don’t break the corporate policy.
It’s not surprising, therefore, that IT managers may ignore policy directives that make the difficult job of implementing change requests even more difficult. A conscious decision may not have been involved; the security managers may simply be unaware that a certain configuration change is against the policy and there is nobody around to sound the sirens. This results in major differences between the corporate policy and the actual security setup on the ground, and it’s no simple task for security officers and auditors to bridge the gap.
“We have more than 100 firewalls around the world,” says Eli Beker, Security Officer at Comverse, a leading provider of software and systems for communications service providers. “Every day, several different teams of outsourced firewall administrators handle a list of dozens of change requests. Making sure our corporate security policy is followed can be like chasing a moving target.”
Why is corporate security policy enforcement so difficult? Eli is not alone. Corporate security officers today are coping with a growing list of challenges that make it harder and harder to get their jobs done. Here are a few examples:
Security risks. Because reviewing firewall rule-bases is such a labor-intensive and time consuming job, most companies do it only periodically. This means that there is a lag between the implementation of policy and verification, leaving the door wide open to security attacks in the meantime. Administrators need to find a way to become proactive – to identify and fix security holes as soon as they occur.
Business continuity. Firewalls today do not only stop intruders, they govern access to external resources such as banking services, newsfeeds and disaster recovery. This external access is typically governed by creating firewall and VPN rules. When a security administrator implements a new configuration change to the firewall, there is a risk of shadowing those special rules and causing outages to business continuity. Downtime to critical information sources can cause serious financial damage and loss of reputation.
Many administrators on different sites. Global organizations employ diverse teams - with different working cultures and skill sets - in multiple time zones. Somewhere, in one of your branch offices, it’s the end of the day and a tired administrator, anxious to get home, is rushing through a change or putting it off until Monday. Security officers need a way to standardize policies so that they are implemented in the same way on every site.
Regulatory compliance: Most organizations are now required to comply with one or more government or industry standards (SOX, PCI-DSS, HIPAA, etc.) Audits are usually performed at the end of the quarter, with auditors combing through thousands of changes looking for anomalies. This process is a huge drain on resources that often brings little real benefit because of the lag time between when the breach occurred, and when the audit took place.
Multi-vendor environments. As a result of consolidation, mergers and acquisitions, and technology upgrades, many organizations cope with multi-vendor environments with different types of rule-bases and management tools. Executives, auditors and regulators lack a top-down view that shows whether the corporate meta-policy is being enforced, regardless of the specific platform.
Don’t rely on honesty as the best policy – Opt for an automated solution Given the scope and complexity of network security operations today, it is clear that while most security administrators have the best of intentions, manual policy analysis and periodical audits is neither efficient nor effective. And it is also more expensive: administrators are spending more and more of their time on manual, repetitive tasks rather than on strategic objectives.
Implementing even more than nine-tenths of the ‘law’, or in this case, a security policy, can only be achieved by automated solutions. By empowering continuous policy enforcement, they transform the audit process into what it should be: a routine report that demonstrates compliance with regulations. In addition to removing a significant security risk, automated solutions also result in a substantial savings of time and resources, since security teams often spend weeks preparing for and following up on external audits.
A good solution is able to:
Continuously monitor firewall and other security device changes, compare them to the corporate security policy, and send out alerts if the policy has been violated.
Track and report all changes in a uniform, simple and straightforward style.
Provide a vendor-neutral, top-down view of all security infrastructure that an executive can understand.
Enable security administrators to test a change against security policy before it is implemented, to assess and avoid risk.
An automated solution supports a separation of duties - security administrators implement changes, and security officers or auditors verify them. Even in small organizations in which the security manager wears more than one hat, an automated solution provides a safety net to uncover and recover from human error.
When choosing an automated solution, security officers should look for one that can centrally address distributed, global organizations with multiple devices, a variety of network security vendors and a geographically distributed workforce. With a robust Security Operations Management solution, Security Officers and Security Administrators can work together to proactively enforce corporate security policies effectively and efficiently – and with a lot fewer headaches.