Network Security Automation to Manage Access Request Spikes and IT Skills Shortages

Last updated February 15th, 2023 by Hadas Lahav

Over the past few challenging weeks, my colleagues from product management and I had numerous conversations with organizations around the world, who shared their concerns about the shift to remote working, how to handle the surge in access requests, and how it’s affected their business continuity.

Despite operating in different countries and industries, their concerns and challenges were similar — all relating to their ability to react quickly, with these three trends now emerging:

1. Increased demand for urgent network changes

Many organizations see a dramatic increase in the volume of network changes due to the shift to remote working. Employees working from home need to urgently gain access to various organizational systems.

These time-sensitive requests are on top of the routine network changes that frequently occur in every organization. A developer, for example, who completes one project and moves ahead to work on another, now requires new network access to a different app/resource. These simple, routine changes are often implemented manually, by modifying firewall rules one by one, or using a searchable index of rules, at best, taking days, if not weeks. But when it takes too long to implement a change, especially if the change is critical, firewall admins may be forced to make the changes without having the time to thoroughly investigate the total impact on the security posture of the company.

These changes presumably meet SLAs but expose the network to potential risks.

2. Lost in translation

Because of the surge in requests, plus remote communication, requests have become exceedingly more cryptic, requiring firewall admins to redo changes more often due to simple misunderstandings. When rework is completed manually, rule by rule, it can quickly lead to a chaotic, unmanageable rule base with shadowed, redundant, and even overly permissive rules that are hastily reconfigured to enable network changes.

Communication obstacles are compounded since so many functions are now potentially impacted by a connectivity change. These communication issues are added to an already long list of collaboration concerns between IT, security, and cloud teams. Almost every organization handles fragmented networks, where different teams manage different security policies for different platforms and network devices. This can result in a lack of collaboration, where the cloud team, for example, makes changes to security group rules that impact firewall rules, without partnering with the relevant network/security teams.

A surge in manual re-work, combined with disparate responsibilities, can lead to blind spots and misconfigurations, resulting in major compliance gaps.

3. IT skills shortage

Many organizations are looking to reduce third-party service spending, and are relying more on in-house IT teams to manage their firewall estate. This effort, now combined with a limited remote workforce, puts additional strain on already overworked IT teams who are being asked to do more, with fewer resources, resulting in shortcuts or postponement of longer-term, and more strategic initiatives.

Tufin’s practice: Leverage automated network security change workflows to eliminate repetitive routine tasks and streamline security while ensuring SLAs

Nearly every network access change involves complex implementation throughout multiple, multi-vendor firewalls, switches, and routers, as well as security groups. Doing it manually, without accurate network topology and automated tools to help optimize newly implemented changes, makes it impossible to handle tickets in a timely manner, without exposing the network to potential risks. Network security automation, including a set of automated workflows that streamline every step in the change process, ensures fast, accurate, secure and documented access change process, to prevent and expose otherwise hidden threats and risks in your organization.

Automated, secure and accurate network access change implementation across multi-vendor network devices

With Tufin SecureChange, you can streamline the network change implementation process by automating change request workflow handling. You can actually create as many different workflows as needed, to achieve multiple use cases, including providing new network access, adding a new server to an existing cluster of servers, removing unused rules or servers from your security policy, and more. Each of these workflows is fully customizable, so that you can configure it to meet the specific needs of your organizational processes. Every workflow is a multi-step, graphical process – from design, to automated target selection, to risk assessment, all the way to approval and implementation, to help remove bottlenecks in your daily operations, and eliminate the risk of configuration errors. All workflows are audit-ready, as they track and document the full change history, and keep it for future reference.

What’s more, every workflow visualizes the entire sequence of events. Following are the key automation elements and steps that comprise a standard Access Request workflow:

Step 1: Automated risk calculation based on the ‘source’ and ‘destination’ entered by the user for the required change. Using risk calculation, SecureChange compares the source and destination to the organization’s defined Unified Security Policy and segmentation matrix, providing an early indication on policy violation, if it exists.

Step 2: Automatic selection of target devices in the path between source and destination, based on accurate network topology metadata and security policy configuration information, such as router interfaces, network protocols (e.g. NAT, VPNs, MPLS, etc.) collected from the on-premise, SDN, and cloud environments. Tufin maps out the firewall targets, irrespective of the device manufacture/SW vendor, between the source and the destination.