Posted on May 5th, 2021 by Jeff Wilmot

Spring has officially begun! For a lot of us, that means new growth on the trees, more daylight hours, and that invigorating feeling of renewal. And, it also means we should look at what piled up over winter and probably start our spring cleaning.

The same can be said of your security policies. For a lot of organizations, a new security policy is put in place to address a new requirement. Sometimes you take the time to understand how this requirement stacks up against others, but sometimes it’s just easier to implement with a goal to sort through your policies at a later time. This is especially true if you are managing firewall rules and policies with spreadsheets or native tools from multiple vendors. Your rule counts can reach in the hundreds, thousands or tens of thousands. When your access rules stretch from firewalls and applications to SDNs and containers, the task can be daunting.

But, maybe you’re one of those organizations that realized the value of visibility across your entire network a long time ago. You don’t have a massive backlog of manual tasks -- you listened when Forrester Research suggested you should “clean up configurations” and reduce your attack surface.

“The days of managing firewall rulesets with tens of thousands of rows in a spreadsheet should (finally) be over. All modern enterprise firewalls support rule hit counts, last-access triggers, and expirations, enabling tighter rulesets (and therefore a smaller network threat surface). Most large organizations have multiple firewall vendors and can also benefit from third-party policy management vendors like […] Tufin to enforce consistent, compliant policies.”
– Forrester Research, Now Tech: Enterprise Firewalls, Q1 2020, March 20,2020, David Holmes with Joseph Blankenship, Benjamin Corey, Peggy Dostie

I think of other ways organizations allow security rules to pile up, effectively damaging their security posture and inviting unnecessary risk into the enterprise. When I speak to customers who have invested in new firewalls, SDNs, cloud or containers or who are looking to migrate some of their workloads to the cloud, I ask them, “what are you doing to clean up your security policies before you assign access?”

In short, the answers tend to fall into a couple buckets:

  1. We don’t have time/resources/expertise to look at this now
  2. We will review during our monthly/annual/ad hoc cycles
  3. Yeah, that’s a good point, but…

To which I say, the time is now. If you were to pack up your entire residence, wouldn’t you weed through the items you don’t use first? That box of things you didn’t open up since your last move? The pleated pants that no one seems to be wearing anymore? That blockbuster on VHS? That leaky snow globe from the Eiffel Tower?

No one really wants to hang onto things that have no value, or worse, may cause harm. Yet, overly permissive ports, shadowed/useless rules, unpatched systems, non-compliant access…these are all carried over to brand new devices and deployed without a second thought.

The first step to ensuring a clean start in your new residence is gaining visibility. Fortunately, we can help you there. Tufin offers a firewall change tracker -- a free tool for real-time analysis of multiple vendor’s firewalls, public cloud security groups and SDN policy changes, centralized into a single dashboard. If running workloads in a hybrid or multi-cloud environment, the cloud security assessment will let you understand where you are at risk with misconfigurations and how you stack up against CIS benchmarks. Both give you the visibility you need to make decisions around your security policies.

Spring is here and it’s time to shed the things that don’t set you up for a clean start. Let’s talk about how Tufin can help.