Recently, Prescott Winter, the former CIO and CTO of the USA's National Security Agency, said that most big companies, including those in the Fortune 100, have 'no idea what they are doing' when it comes to risk management and security. (See full article here.)
This is a very broad statement and somewhat problematic. Whilst by no means perfect, most companies aren't as clueless as Winter suggests and do know what they are doing in terms of risk management and security. Many have assembled a team of network professionals to monitor and react to issues, added CTOs / CIOs to provide board level oversight and complete their firewall audits regularly. However Winter made some very valid points which suggest that there is a gross misunderstanding when it comes to effectively dealing with the challenges associated with IT security and the enterprise. It's no longer enough to simply automate your security policies, because the threats, from cyber-attacks to issues caused by malicious employees to human error, have become more widespread and complex and the specific needs of each organization differ tremendously.
It seems others would agree. In fact when we recently asked 502 IT security decision makers about their security network policies, the survey revealed that C-level managers and IT professionals are tackling increasingly complex enterprise networks, with trends such as virtualization, IPv6 and the Cloud requiring more automation of network management. In our research 67% of senior IT and decision-makers think security policy management across the network will become more automated over the next few years. And 56% said that system complexity was the number one root cause undermining and jeopardizing IT security activity.
So it's clear a high level methodology to modern network security management is the only answer for companies who want to manage risk and protect their assets while adhering to business requirements.
Winter said this requires the following:
- A top-down approach from business to security
- Identifying business assets and defining the security architecture around them (not vice-versa as is the standard practice today)
- The ability to separate security management at multiple touch-points (network, servers, applications) which requires processes and analysis tools to reach across domains and business units
- Automated processes with feedback – including continuous self-auditing
One point I agree with Winter is that 'companies need to develop an approach that looks to protect the most critical business assets. A top-down approach, using a system like ours allows you to map the most critical business assets. Such tools extend the benefits of IT automation to network security, in order to accelerate service and application delivery, increase IT agility, and enforce security policy throughout the network.
Another area that made sense was 'point solutions and single systems are inadequate'. This is why business must put security orchestration in place to manage security across the multiple devices and domains that exist in today's modern business world. This means coordinating a variety of systems that affect security policy – not just firewalls and routers, but servers and applications as well. Orchestration of security policy has become very complex and should include the “middleware” that connects a wider community including application teams that need network changes and network security teams that need to analyze, design, assess, implement and audit these changes in a timely fashion. Interoperability between systems and integration with different network security devices and various stakeholders is essential.
Winter emphasized this by saying that 'The real threat is the lack of understanding what is important to the enterprise and the ability to identify the assets that matter and begin to watch those in a structured, architectured way.' Understanding the processes and applications within your business is the only way to completely protect it from IT security threats. And critical to this, is making sure your employees also understand the business is crucial.
Winter added 'People make mistakes and things that ought to be done in a particular way often aren't and the result is a set of vulnerabilities that will leave your enterprise open.' This is a no-brainer – it's essential that your employees have a clear view of the enterprise security policies and are able to navigate them simply and efficiently while continuously auditing. Many companies spend inordinate amounts of time developing policies but bury them somewhere never to be seen by employees. It's important that staff are informed and trained if necessary and that policies are highly accessible.
A centralized management platform will enable security, network and application teams to proactively design, implement and audit network changes to ensure security within complex business networks. This addresses many of the modern risk management challenges raised by Winter and, if done properly, will allow enterprises to protect their businesses with confidence.
To hear more about how to automate network layer change processes, accelerate service and application delivery and increase IT agility tune in to our next webinar on 5 November which will ask 'Why You Should Care About Security Policy Orchestration'.