Avoiding ‘Hotel California’ security policies
- Published: Tuesday, 20 October 2015 07:47
Old security policies and rules often stick around long after they’ve outstayed their welcome. Kyle Wickert shows how you can ensure they check out and leave, for good.
Change is the one constant in network operations and security. Business applications are always in a near constant state of flux - regularly being updated or migrated – which in turn means constant additions and updates to security policies and firewall rules. An AlgoSec survey of 240 infosecurity and IT professional’s globally (1) found that 45 percent of respondents processed between 11 and 20 network access change requests to key business applications every week. 21 percent had over 20 changes per week. So to keep pace with this demanding cycle of changes, IT teams are having to add more and more rules to their firewalls.
As a result, security policies become bloated. The problem is made even worse as old or obsolete policies and rules are rarely deleted, even after a business application or server has been decommissioned. This can happen simply because no one was asked to remove those rules; or because of concerns that deleting them may impact other applications or services, causing an unexpected ripple effect and risking an outage. However, security policies that are not required for any business purpose can create open doors for unwanted guests: cyber criminals!
The end result is often a cluttered and unnecessarily extended network security policy, which weakens your security posture, impacts firewall performance and impedes regulatory audits and compliance. It’s ‘Hotel California’ syndrome: policies and rules may checkout, but they never leave. No wonder, then, that uncoordinated policy management was identified by analyst Gartner as one of the most common network security ‘worst practices’ earlier in 2015 (2).
Tackling this issue is a challenge for network operations, security, and application owners alike. The people who built the business applications, developed the security policies around them, and therefore know why these rules are in place, may no longer be with your company. Documentation and records may be sketchy at best, with manual, non-scalable processes including spreadsheets or simplistic databases being used to handle this increasingly complex task. And as mentioned earlier, those complex policies or rules may support or affect other applications too, creating the risk of disrupting or breaking a core business process if changes are badly managed.
Simplifying the policy puzzle
So how can you start to clean up your existing security policies and rules, to get rid of those that are old and obsolete, and track those which are most critical and relevant to your business? Here are my suggestions for starting to clean up your ‘guest list’ of rulesets and policies, and evicting those that have outstayed their usefulness.
- Check-out how the rules are used: to do this, you need to implement logging and reporting with per-rule granularity, so that you can see exactly how often a rule is applied and when it was last used. This is a feature of security policy management solutions: they provide a range of reporting options that enables you to quickly identify the status of rules and objects, e.g. which are unused, which are disabled, which are duplicated or redundant, which have been inactive for a period of time, and so on. This gives you the basis for establishing how much clutter there is in your policies, and where you should start your clean-up.
- Check-in new rules: when new rules are being set up, make sure everyone who does adds a comment on what the rule is for. This will help to remind you and your team why it exists in the first place when you come to review it at a later date.
- Check-up on existing rules: recommended as a core element of an effective security change-management strategy, recertification involves examining firewall rules and application connectivity on a regular basis – for example, every 12 or 24 months – and reapproving those rules that are still in use while removing those which are no longer required. Organizations that are highly security-conscious will even specify a time-limit for the validity of rules, causing them to stop working after a defined date. Some organizations may also set recertification intervals dynamically, based on risk or line of business. All this helps to ensure that rulesets are regularly spring-cleaned and updated. Organizations with a very well-defined security policy management process sometimes set rule re-certifications, dynamically based on risk or business line.
- Focus on your applications: as organizations move towards a much more application-centric approach to security policy management, they begin to drive change reviews and assessments from the application down. So rather than focusing on solely on firewall ports and network protocols, ensure you understand and map firewall and router access rules to the business applications they support. Application connectivity management solutions can automate and greatly simplify this process.
- Automate your change request processes: security policy automation solutions not only let you process changes faster and more accurately; they also document those processes automatically. This gives you a searchable audit trail of your rules and policies, enabling you to establish, months or years later, who asked for them to be implemented and why, who made any changes to them, and the reasons for the change. It simplifies information-gathering for future audits, improves coordination and management of policies, and gives a reference point, or ‘safe harbour’ that you can return to if something goes wrong, such as an unexpected application outage if a set of rules is removed.
By checking-out and evicting obsolete firewall rules and policies, you not only simplify ongoing security management, as well as auditing and compliance, you greatly improve your security posture and resilience against cyberattacks. You also make subsequent changes and maintenance – deploying new firewalls, migrating or decommissioning applications – much easier, with less risk of disruption. With the right tools and processes, you can transform sprawling, messy ‘Hotel California’ rulesets into slick, Five Star security policies that enable you to securely manage your business.
Kyle Wickert is the Lead Solution Architect of Product & Deployment at AlgoSec.
(1) AlgoSec survey examining the impact of security management on the business: http://www.algosec.com/en/resources/impact_of_security_management(2) Gartner, “Avoid these “Dirty Dozen” Network Security Worst Practices,” January 2015.