How to stop your security policy management becoming ‘Hotel California’

Change is the one constant in network operations and security. Business applications todays are always in a near constant state of flux – regularly being updated or migrated – which in turn means constant additions and updates to security policies and firewall rules.

An AlgoSec survey of 240 infosecurity and IT professional’s globally found that 45% of respondents processed between 11 and 20 network access change requests to key business applications every week. 21% had over 20 changes per week.

So to keep pace with this demanding cycle of changes, IT teams are having to add more and more rules to their firewalls.

As a result, security policies become bloated. The problem is made even worse as old or obsolete policies and rules are rarely deleted, even after a business application or server has been decommissioned.

This can happen simply because no one was asked to remove those rules; or because of concerns that deleting them may impact other applications or services, causing an unexpected ripple effect and risking an outage. However, security policies that are not required for any business purpose can create open doors for unwanted guests – cyber criminals!

> See also: How to pin down tricky portable media in your security policy

The end result is often a cluttered and unnecessarily extended network security policy, which weakens your security posture, impacts firewall performance and impedes regulatory audits and compliance. 

It’s ‘Hotel California’ syndrome – policies and rules may checkout, but they never leave. No wonder, then, that unco-ordinated policy management was identified by analyst Gartner as one of the most common network security ‘worst practices’ earlier in 20152.

Tackling this issue is a challenge for network operations, security, and application owners alike! The people who built the business applications, developed the security policies around them, and therefore know why these rules are in place, may no longer be with your company.

Documentation and records may be sketchy at best, with manual, non-scalable processes including spreadsheets or simplistic databases being used to handle this increasingly complex task.

And as mentioned earlier, those complex policies or rules may support or affect other applications too, creating the risk of disrupting or breaking a core business process if changes are badly managed.

Simplifying the policy puzzle

So how can you start to clean up your existing security policies and rules, to get rid of those that are old and obsolete, and track those which are most critical and relevant to your business?  Here are some suggestions for starting to clean up your ‘guest list’ of rulesets and policies, and evicting those that have outstayed their usefulness.

Check-out how the rules are used: to do this, you need to implement logging and reporting with per-rule granularity, so that you can see exactly how often a rule is applied and when it was last used.

This is a feature of security policy management solutions: they provide a range of reporting options that enables you to quickly identify the status of rules and objects, e.g. which are unused, which are disabled, which are duplicated or redundant, which have been inactive for a period of time, and so on.  This gives you the basis for establishing how much clutter there is in your policies, and where you should start your clean-up.

Check-in new rules:  when new rules are being set up, make sure everyone who does adds a comment on what the rule is for.  This will help to remind you and your team why it exists in the first place when you come to review it at a later date.

Check-up on existing rules: recommended as a core element of an effective security change-management strategy, recertification involves examining firewall rules and application connectivity on a regular basis – for example, every 12 or 24 months – and reapproving those rules that are still in use while removing those which are no longer required. 

Organisations that are highly security-conscious will even specify a time-limit for the validity of rules, causing them to stop working after a defined date.  Some organisations may even set recertification intervals dynamically, based on risk or line of business. All this helps to ensure that rulesets are regularly spring-cleaned and updated. Organisations with a very well-defined security policy management process may even set rule recertifications dynamically based on risk or business line.

Focus on your applications:  as organisations move towards a much more application-centric approach to security policy management, they begin to drive change reviews and assessments from the application down. So rather than focusing on solely on firewall ports and network protocols, ensure you understand and map firewall and router access rules to the business applications they support. Application connectivity management solutions can automate and greatly simplify this process.

Automate your change request processes: Security policy automation solutions not only let you process changes faster and more accurately, they also document those processes automatically.

> See also: How to be a security policy management saint, not a sinner

This gives you a searchable audit trail of your rules and policies, enabling you to establish, months or years later, who asked for them to be implemented and why, who made any changes to them, and the reasons for the change.

It simplifies information-gathering for future audits, improves coordination and management of policies, and gives a reference point, or ‘safe harbour’ that you can return to if something goes wrong, such as an unexpected application outage if a set of rules is removed.

By checking-out and evicting obsolete firewall rules and policies, you not only simplify ongoing security management, as well as auditing and compliance, you also greatly improve your security posture and resilience against cyberattacks.

You also make subsequent changes and maintenance – deploying new firewalls, migrating or decommissioning applications – much easier, with less risk of disruption.  With the right tools and processes, you can transform sprawling, messy ‘Hotel California’ rulesets into slick, 5 Star security policies that enable you to securely manage your business.

Sourced from Kyle Wickert, Lead Solution Architect of Product & Deployment, AlgoSec

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

IT Security