One of the recurring questions we hear from network security leaders is “why aren’t our security policies optimized?” The answer, however, is far from simple. The truth is that a myriad of factors converge to create a challenging landscape where optimization becomes a daunting task.
To understand how to solve a problem, you first need to understand what is causing the problem in the first place. That’s basic troubleshooting 101 – and it’s as true for cybersecurity as it is for any industry.
Common Security Policy Issues
Let’s run down the checklist of common issues that could impact overall security policy adoption and adherence:
- Volume: One of the foremost challenges stems from the sheer volume of network security controls. These controls, such as a firewall or security group, are each adorned with hundreds to thousands of access rules. Adjustments become difficult as the rules themselves are often scattered across various locations – and teams have to take into consideration the impact a change to one rule may have on another.
- Review Processes: Periodic review of access rules, regardless of whether they protect legacy networks, cloud, or edge environments, is often neglected, rendering the security policies connected to them both stagnant and vulnerable.
- Out of Process Changes: Another issue is that team members sometimes make policy modifications without adhering to any controls whatsoever. Adjusting or updating rules outside of the approved process not only undermines the integrity of the security infrastructure as a whole – but also introduces unforeseen vulnerabilities.
- Urgent Changes: In the frenzied quest to resolve issues swiftly, changes are sometimes implemented hastily, often without due approval or documentation. Many of these changes are intended to be temporary in nature, but reverting back to the original rules after the fact rarely happens. Taking a “band-aid” approach to adjusting security policy only exacerbates the larger problem, creating clutter and leaving the system susceptible to exploitation as urgent changes are not documented well, forgotten forever, or have unintended consequences.
- Documentation: Proper documentation is seen as a chore, and is either sorely inadequate or relegated to an afterthought. Security teams are forced to grapple with the task of identifying and rectifying misconfigurations or vulnerabilities – often at times when speed is critical. A lack of information not only slows them down, but can hinder their ability to accurately understand the situation. Conducting audits or confirming regulatory compliance without accurate, updated information is also a nightmare for security teams.
- Fear: A prevailing fear of disrupting the status quo inhibits teams from removing redundant or conflicting rules. Because there is so little knowledge or documentation about existing rules, the possibility of inadvertently causing application or network outages looms large. Proactive rule optimization efforts are often abandoned out of fear, or left to become “the next person’s problem.” While the saying goes “if it ain’t broke, don’t fix it,” – an accumulation of unnecessary rules clutters the security framework, compounding its inefficiencies, and opening companies up to other problems in the future.
Any one of these could be the cause for security policy optimization challenges, and lead to organizational security issues that result in a breach or attack. The truth of the situation is that many organizations have several of these issues impacting their policies and rules – at the same time. With stagnant security budgets and the ongoing battle for organizations to find and retain cybersecurity talent, it is easy to see how these issues can snowball if left unaddressed for too long. No one likes to clean up after the party.
It is also easy to see that security teams need help in order to overcome these issues and establish a lean and efficient security policy. That’s why embracing automation is so important. Automation is a must-have for today’s organizations; without it, teams find it impossible to catch up and work on truly optimizing their processes.
Embracing Automation – Critically Important, But Often Not Enough
Security automation is often seen as the solution for the need to get more out of existing resources, while still being able to fight the good fight against attackers. But just implementing automated tools is not enough; to truly address the problems above once and for all and optimize your security policies there are specific best practices to follow.
Let’s take a look at these steps and what is needed for each:
- Identification: Identification is the true beginning of security policy automation. Organizations must meticulously catalog their existing security policies, unraveling the intricate web of rules and controls to understand what is connected to what – and most importantly, why. A comprehensive audit serves as the foundation upon which subsequent optimization efforts are built.
That said, visibility simply isn’t enough to be impactful by itself. There has to be an automated insight platform that can help identify, in a timely manner, the various policy aspects that need to be optimized. For example, automation could identify unused or unneeded rules that hinder optimization and could be eliminated, but wouldn’t have been noticed by teams because of their lack of use.
- Continuous Policy Assessment: Following the identification phase, assessment becomes imperative. Enterprises must scrutinize each policy, evaluating its relevance, effectiveness, and compliance with regulatory standards. What exactly is needed, what isn’t, and what is missing. This critical appraisal unveils both vulnerabilities and inefficiencies, paving the way for targeted mitigation strategies and helping to establish a practice of continuous compliance. It’s not all doom and gloom, however. The process also can help teams understand what is working well – and should be continued or repeated.
- Proper Policy Definition: The guardrails you set up to track access and potential policy violations need to be accurate, to ensure that all deviations are captured and can be addressed. Without accuracy in definitions and rules, it becomes impossible to capture everything that’s potentially dangerous, thereby further limiting optimization efforts.
- Mitigation: Mitigation is when organizations work to rectify identified shortcomings and fortify their security posture. Actions include streamlining policies, eliminating redundancies, maintaining policies that work, and bolstering defenses against emerging threats. It is important for organizations to remain vigilant and understand that their actions here will establish the foundation for future policies.
- Tracking and Reporting: Equally vital is the tracking and reporting of progress. Enterprises must deploy robust monitoring mechanisms to gauge the success of their automation endeavors – and to give them the documentation needed to explain decisions and revert changes if necessary. Transparent reporting also helps to ensure accountability and facilitate informed decision-making now and in the future.
By adhering to these best practices, an organization can put themselves in the best possible position for automation efforts to truly make a difference when it comes to security policies.
Looking Ahead
Once an organization has corrected their past security policy mistakes and established a true, streamlined, and efficient set of rules and processes, the next battle becomes keeping it that way. As any security team member knows, this is often easier said than done.
To retain their newfound security policy efficiency, enterprises must cultivate a culture of proactivity. Regular audits, periodic reviews, and stringent documentation practices are non-negotiable moving forward. In addition, collaboration within the organization is key, so needed policy changes or issues can be identified and corrected without creating a new set of issues. Organizations must also understand that policy needs will constantly evolve – as do security threats. Security policy optimization needs to become a continuous process, where new technologies and employee needs are recognized with approved policy adjustments, not ad hoc changes.
By embracing automation and adhering to a systematic approach, organizations can navigate policy issues with confidence. A culture of proactive policy management and continuous refinement will give employees the access they need to be successful, and ensure defenses remain strong in the face of ever-evolving threats.
About the Author
Erez Tadmor is the Field CTO of Tufin. He holds a two-decade career in the ever-evolving information security field, marked by his diverse background in managing various product portfolios and verticals. His expertise spans cloud and network security, automation & orchestration, IAM, fraud detection and prevention. As Tufin’s Field CTO, he bridges the gap between customers, marketing, and product teams, educating stakeholders on network security technologies, cybersecurity best practices and Tufin’s solutions. Erez holds a track record of strong leadership in both enterprise and startups cybersecurity product management and strategy development. Erez can be reached online at [email protected] and at our company website https://www.tufin.com/.