Avoiding ‘Hotel California’ security policies

Published: Tuesday, 20 October 2015 07:47

Old security policies and rules often stick around long after they’ve outstayed their welcome. Kyle Wickert shows how you can ensure they check out and leave, for good.

Change is the one constant in network operations and security. Business applications are always in a near constant state of flux - regularly being updated or migrated – which in turn means constant additions and updates to security policies and firewall rules.  An AlgoSec survey of 240 infosecurity and IT professional’s globally (1) found that 45 percent of respondents processed between 11 and 20 network access change requests to key business applications every week.  21 percent had over 20 changes per week.  So to keep pace with this demanding cycle of changes, IT teams are having to add more and more rules to their firewalls.

As a result, security policies become bloated. The problem is made even worse as old or obsolete policies and rules are rarely deleted, even after a business application or server has been decommissioned.  This can happen simply because no one was asked to remove those rules; or because of concerns that deleting them may impact other applications or services, causing an unexpected ripple effect and risking an outage. However, security policies that are not required for any business purpose can create open doors for unwanted guests: cyber criminals!

The end result is often a cluttered and unnecessarily extended network security policy, which weakens your security posture, impacts firewall performance and impedes regulatory audits and compliance.  It’s ‘Hotel California’ syndrome: policies and rules may checkout, but they never leave.  No wonder, then, that uncoordinated policy management was identified by analyst Gartner as one of the most common network security ‘worst practices’ earlier in 2015 (2).

Tackling this issue is a challenge for network operations, security, and application owners alike. The people who built the business applications, developed the security policies around them, and therefore know why these rules are in place, may no longer be with your company.  Documentation and records may be sketchy at best, with manual, non-scalable processes including spreadsheets or simplistic databases being used to handle this increasingly complex task. And as mentioned earlier, those complex policies or rules may support or affect other applications too, creating the risk of disrupting or breaking a core business process if changes are badly managed.

Simplifying the policy puzzle

So how can you start to clean up your existing security policies and rules, to get rid of those that are old and obsolete, and track those which are most critical and relevant to your business?  Here are my suggestions for starting to clean up your ‘guest list’ of rulesets and policies, and evicting those that have outstayed their usefulness. 

By checking-out and evicting obsolete firewall rules and policies, you not only simplify ongoing security management, as well as auditing and compliance, you greatly improve your security posture and resilience against cyberattacks.  You also make subsequent changes and maintenance – deploying new firewalls, migrating or decommissioning applications – much easier, with less risk of disruption.  With the right tools and processes, you can transform sprawling, messy ‘Hotel California’ rulesets into slick, Five Star security policies that enable you to securely manage your business.

The author

Kyle Wickert is the Lead Solution Architect of Product & Deployment at AlgoSec.


(1) AlgoSec survey examining the impact of security management on the business:  http://www.algosec.com/en/resources/impact_of_security_management

(2) Gartner, “Avoid these “Dirty Dozen” Network Security Worst Practices,” January 2015.