Everything changes: removing risk from network and security change management
Everything changes: removing risk from network and security change management

"There is nothing wrong with change, if it's in the right direction," said Winston Churchill. But speak to a hard-pressed CSO or CIO and they'll tell you that any type of change is a potential risk. Most will happily take a lot less change in order to get better security.

The issue is that every new hire, software patch or network update opens up a security gap and increases the organisation's risk exposure.

This situation becomes further complicated in larger organisations, which may have a mixed security estate comprising traditional, next-generation and virtualised firewalls from multiple vendors, all with hundreds of policies and thousands of rules.

Then there are unexpected, quick-fix changes that are often requested by board-level staff for access to specific resources or capabilities. In some cases, the change is made in a rush (who wants a C-level exec breathing down their neck because he wants to access the network from his new tablet right now?) without sufficient consideration of whether that change is allowable under current security policies, or if it introduces new exposure to risk.

Add to these internal issues the ever-growing number of external threats, from malware, hacking and social engineering exploits, and it's no wonder that both IT and security teams find that change introduces many more challenges than they would like.

So how should security and IT teams work together to manage change and get better control of security-related change issues? How should they approach updating their complex security infrastructure and policies to ensure better system availability and security?

The first step is to ensure that IT and security teams are working in harmony with each other. In many larger companies, routine IT operational and administrative tasks may be handled by a different team to that handling security and risk-related tasks.

Although both teams are working toward the same end, decisions made by one may lead to issues for the other, such as the earlier example of the executive wanting to add his new tablet to the network.

Sometimes these situations can be dealt with in a rush to get them out of the way, with the full intention of dealing with any security issues afterwards. Yet this latter and crucial element may get overlooked.

So it is worth recognising the potential for these pitfalls and implement measures to help improve co-ordination between different teams. You can't always predict exactly when users will make requests to add new devices to the network, but you can certainly prepare a routine for dealing with those requests as they arise.

Bringing both teams together to prepare route maps for these situations and for other ‘knowns' such as network upgrades, change freezes and audits helps to minimise the risk of these changes causing security holes.

To build these route maps, it's essential to understand your network's topology, which can be extremely complex in multi-site, enterprise environments. Where are the main conduits and choke points for traffic flow? Where are the potential vulnerabilities? How are the various firewalls on the network configured and what security policies and rules are active on those devices?

The answers to these questions help you to identify and target those areas with potential security gaps. However, the pace of ongoing infrastructure changes – not to mention the speed at which external threats evolve – means that manual, periodic network and risk assessments are simply not frequent enough to enable staff to keep up.

So as well as being able to visualise the network, you need near real-time responses to network issues and the ability to quickly access all types of firewall and apply changes in a way that is both compliant with security policies and fully auditable. This demands automation for these critical, labour-intensive tasks.

Why automate these tasks? Put simply, organisations cannot afford not to automate. In 2011, we surveyed senior IT and infosecurity staff on their firewall management issues: 66 per cent said that human error was the primary cause of network security outages.

Respondents also said that firewall management required the greatest investment of their time, as well as causing the most network disruptions, with 73 per cent citing a high number of changes as the main reason for their time investment in managing security gateways.

Automation helps staff move away from firefighting and being bounced reactively between incidents, and helps them gain control. The right solution can help teams track down potential traffic or connectivity issues, and highlight areas of risk and the current status of compliance with policies across mixed estates of traditional, next-generation and virtualised firewalls.

It can also automatically pinpoint the exact devices that may need changes, and show how to design and implement that change in the most secure way.

So, constant changes don't have to be a bugbear for IT and security teams. The ability to better manage change through automation can make a real difference to a company's security stance.

Paul Clark is UK managing director of AlgoSec