The increasing complexity of networks is a growing concern for most enterprises. Networks have been built with a number of diverse network technologies, often starting with switches, routers, servers, and firewalls, all likely procured from different vendors at different times. Over time, other hardware and software systems are layered on, such as software-defined networking, public clouds, and most recently containers. Every vendor has its own vocabulary, terminology, features, and its solutions have their own distinct command line interfaces. As Gartner observed, “Digital diversity management is not about people, but rather about managing the explosion of diverse assets and technologies used in today’s modern digital enterprise.”1 The problem is network management.
Vendors offer a single pane of glass to manage their products. Cisco has a management console for its devices, for example, and Fortinet has a console for its devices. Vendors’ management consoles, however, typically support only their products. With such disparate administrative tools, how can IT departments holistically manage multiple vendors, devices, and platforms? Most critically, how can changes be made in the network without introducing misconfigurations and security risks?
The short answer: not too easily.
Today, misconfigurations can be as high as 70 percent – based on my own experience with assessing ROI of security solutions. Misconfigurations can open breachable tunnels into the business that can be exploited or result in a lack of connectivity and desperate troubleshooting. The most common example occurred with databases in AWS, which when configured by default, were accessible to everyone. While the security process has improved, the damage has been done. Access to the network must be limited to only those who need it. If access is too permissive, the attack surface increases. Yet if access is too restricted, the business’ agility may suffer.
To manually configure changes to switches, firewalls, and other resources, security pros need to grasp how everything connects, despite network complexity. This demands a near impossible familiarity with a myriad of products from multiple vendors. If an access request requires modifications to a Cisco switch and a Palo Alto Networks firewall, they must master multiple security technologies to implement it. They need to determine what needs to be changed and what constitutes risk.
Suppose there’s a malware attack using port 445? The security team must determine all the possible compromises in that network zone and the security devices and datasets in it, assuming of course the network has been segmented. They must then ensure the attack doesn’t pivot elsewhere in the environment and be quick about mitigation. Malware attacks are usually automated. They scan ports on devices to determine which are open, and then seek to exploit vulnerabilities further across the accessible network. The longer security teams take to identify and isolate these threats, the longer the dwell time for them to spread across the network.
And that’s the challenge.
It takes time to manually manage configurations. Many organizations have SLAs that require three-to five-days for implementation of network changes. Security teams, short-staffed, swamped, and struggling to manage their diverse networks, often take days to respond to an incident or approve a change request that could be done in minutes with greater know-how. Access requests, as a result, take longer, which impedes business. Meanwhile, the network is vulnerable to intrusion.
As such, the success of manual network security operations in a complex network is only as effective as the skills of the security pros assigned to it. Some may be well versed in Cisco solutions. Others may be familiar with Check Point products. Vendor/solution knowledge is so compartmentalized that staff are often asked to manage systems outside of their expertise. This contributes to mistakes.
Managing security configurations across vendors and platforms, on-prem and hybrid cloud, from a single pane of glass reduces efforts and provides better control over risks. With fragmented management consoles, it is extremely difficult to understand an environment’s topology, how everything in it connects, and the impact that changes may have on security and connectivity.
Instead, with growing network complexity and heterogeneity, enterprises must consolidate security device and platform management. They need an all-encompassing system that doesn’t require much manpower to operate or specialized knowledge of any one vendor’s systems.
To improve efficiency, reduce risks, and empower the business, organizations need end-to-end security policy management. With cohesive policy management across the entire environment, network security operations can do a lot more with a lot less and do it much faster and more efficiently. And ultimately more securely.
If you want to learn more about how you can address the risks of an overly complex network with security policy management download this infographic.
*** This is a Security Bloggers Network syndicated blog from Tufin - Cybersecurity & Agility with Network Security Policy Orchestration authored by Dan Rheault. Read the original post at: https://www.tufin.com/node/2374