Expert insight: Countering risk with automation

Andrew Lintell, Regional Vice President, Northern EMEA at Tufin, on how organisations can improve their level of maturity as they move towards complete automation.

Network security continues to grow more complex by the day.

Increasing fragmentation, combined with constant change and the fact that security professionals are in short supply, increase the challenges that security and operations teams face across all industries.

The continued fragmentation of the network is just one result of multi-vendor environments, where numerous disparate products must be properly integrated to avoid misconfigurations or weaknesses in the network. Unfortunately, this is typically not the case due to the additional complexity this presents and the work required of already overloaded IT teams, which is presenting some serious challenges.

See also:

• OUT NOW - The August edition of Gigabit Magazine!
• Exclusive insight: Making connections with Deloitte
• Visionaries, explorers and watchers - Infosys examines digital thinking at global enterprises

Indeed, according to a recent Cato Networks survey of over 700 IT professionals, complexity emerged as the biggest networking and security challenge facing IT teams.

As a result, a dangerous trade-off is being made: the business is asking for greater agility to meet market demands, often at the cost of security. An organisation that is too focused on security will slow down the pace of business, which ultimately will hurt business’ ability to respond to the market and maintain their competitive edge.

So, with today’s fragmented, complex networks, how can organisations assess and improve their level of maturity as they develop towards the ultimate goal of Zero-Touch Automation?

Starting from the bottom
In complex networks with multiple vendor firewalls, devices and routers as well as multi-cloud deployments, change is constant, and visibility is poor. When a change request is submitted, it is difficult to know if the rule already exists or if a new rule will break connectivity or create unwanted exposure.

So, before businesses can move forward, they first need visibility into the issues they face. Some questions they must ask themselves include:

•    Are they keeping up with the change requests or falling behind?
•    Do they understand their network topology? 
•    Are security policies established and followed?
•    How do they monitor and track change for compliance?
•    Is DevOps spinning up applications without security controls?
•    Have they moved to centralised control of security policy?

Once these questions have been answered, businesses also have to consider the needs of the various business units. When NetOps, SecOps and DevOps all have different priorities, it’s difficult to establish any controls. DevOps teams, for example, are focused on rolling out new apps and services as quickly as possible. While they want their apps to be secure, they don’t want security to get in the way of business agility.

Without automation, the result is overburdened IT operations, unhappy security teams and applications that don’t follow security rules – all as a result of complexity and a dependence on manual processes.

The problem with staying in manual
Manually managing changes and applying disparate security policies, while constantly fighting against a tide of change requests, results in chaos which is further compounded by the fragmentation of the network. Not only do these manual changes take time - sometimes weeks - manually configuring means mistakes are inevitable, which further increases security risk across the enterprise.

When an organisation might have some visibility and monitoring into their change process, if they are still doing manual changes and can’t prove compliance, they remain blissfully unaware of the problems lurking beneath the hood. 

If we were to place businesses that rely on manual processes on a network security and agility maturity scale (i.e. the ability of an organisation to improve efficiencies and ensure security), most would likely fall in the lower quadrant. Ultimately, the cause is a lack of visibility and control required to balance the scale.

The need for automation of security policy
Organisations shouldn’t have to compromise between security and business agility. Striking a balance requires visibility first, but then automation. Automation of network security changes according to a security policy ensures that organisations are making these changes quickly and accurately no matter where they are – on-prem, in the cloud or in a DevOps environment. It is only through centralised security policy that organisations can manage changes at scale.

Such an approach also helps to improve compliance with industry regulations and internal audit, as businesses can prove that the changes made to firewall rules or application connectivity are adhering to policy.

Furthermore, providing a common centralised policy makes it easier for NetOps, SecOps and DevOps to efficiently adhere to the same set of rules, manage changes in minutes instead of days, and ultimately increase business efficiency while maintaining a strong security posture. 

From a place of no visibility to gaining control, the ultimate goal is to achieve Zero-Touch Automation, whereby your changes are made according to policy and according to your risk tolerance.

Ultimately, this process requires an organisation to plan how it will mature and achieve that state of Zero-Touch Automation. Following a maturity model will ensure organisations are ready to adapt and adopt to new technologies and methodologies in the future.

Network security policy management provides the steps needed to plan and advance an organisation’s network security through the use of security policy.