David Aminzade,Tufin: Security challenges Italian style
May 2009 by David Aminzade – Regional Director Tufin
Three years ago I bought a house in the south of Italy and since then I have been trying to immerse myself in the local culture. It recently occurred to me that actually there was a great deal of similarity between the nuances and national characteristics of Italy and the challenges faced by security professionals today.
A love of Spaghetti - A rule base that has evolved over several years with several vendors’ products and many different security administrators will certainly resemble the characteristics of spaghetti. When you start pulling on one end you never know what the consequences are.
Even in the south of Italy companies now-a-days need to improve the efficiency of their firewall operation and make what they have go faster and further as budget for hardware or software upgrades are under close scrutiny. The ability to understand which rules are most frequently used, enable the security professional to improve performance by ensuring a close match between rule ranking and rule usage. This is even more the case when non used rules and shadowed rules can be clearly identified. These classes of rules only add complexity, degrade performance and increase business continuity risk.
All road signs are only suggestions
For all of you who have driven in the south of Italy you will know that all traffic laws, which by the way are still contained in the Italian criminal not the civil code, are merely suggestions to be adhered to or ignored depending on the situation.
Such is often the case when people are writing new or changing existing security rules. We all know that we should include a comment or a clean up rule but sometimes expediency makes us ignore these good practice guidelines.
The need to meet with a growing number of compliancy requirements either internal audit reviews, external audit demands such as SOX or Basel II or from industry specific requirements such as PCI-DSS is far more costly if a history of indiscipline has existed.
It is of little use spending money to optimise your firewall infrastructure and enable automatic compliance if you do not deal stop subsequent non compliance. The ability to flag non compliance to the relevant IT/security/compliance/business manager protects your investment, maintains your firewall estate’s performance and ensures cost free ongoing compliance.
Sleeping in the afternoon - One local habit that I have taken the most easily to is sleeping in the afternoon. The opportunity to wind down and take a nap after a nice lunch is a great way to recharge your batteries. I think that this should be added as a criterion for any new security investment. “Does this investment allow me to take a nap in the afternoon?”
In summary it is clear to me that companies are looking for ways to remove cost from firewall administration whilst adding performance. The ever increasing demands of compliance from all quarters means that the delivery of compliance needs to be automated and assured. To ensure ongoing OPEX reduction and operational efficiency, rule changes going forward need to be assessed against and internal or external best practice standard automatically and violations flagged to the responsible manager.