the security policy management maturity model: how to move up the curve
TRANSCRIPT
The Security Management Maturity Model
7
Level 1 - Initial
Level 2 - Emerging
Level 3 - Advanced Level 4 - Visionary
Level 1 - Initial
• Limited understanding of why each rule is in place
• Change management is manual; many changes must
be redone
• Limited visibility of impact to network traffic
• Time-consuming audits
• Rules are rarely deleted for fear of breaking something
• Manual risk analysis of the firewall policy
10
Recommendations for Level 1
1. Review (or create) documentation for firewall rules
2. Get an accurate picture of your network traffic so
you understand what your policy is actually doing
3. Define your ideal change management process
4. Establish regular projects to clean up firewall and
router rules and ACLs
5. Review risk analysis and compliance processes
6. Assess benefits of automation
11
Level 2 - Emerging
• Automated monitoring and alerting of policy changes
• Real-time, up-to-date topology visibility
• Automated compliance reporting
• Automated policy optimization and risk analysis
• No overly permissive rules (E.g. ANY)
• Change management still manual and error-prone
with teams working in silos
12
Recommendations for Level 2
1. Make sure security and network teams are aligned
and agree on change management processes
2. Measure the time required for each step of a
change request to identify bottlenecks
3. Conduct reconciliation between requests and
changes made to identify out-of-process changes
4. Assess the value of automation as part of a
firewall- and network-aware change process
13
Level 3 - Advanced
• Automated change process improves business agility
• Continuous compliance
• Out-of-process changes are discovered and “already
works” change requests are automatically closed
• Basic documentation and limited visibility of
application connectivity needs (E.g. spreadsheets)
• Poor communications with business stakeholders and
application owners
14
Recommendations for Level 3
1. Review processes for documenting application connectivity
needs
2. Assess gaps between application and network teams relating
to the security and network infrastructure
3. Review processes for decommissioning applications and
related unused firewall rules
4. Examine options for making business owners “own the risk”
and vulnerabilities in their applications
5. Assess tools which provide application-centric approaches to
managing the network security policy
15
Level 4 - Visionary
• Fast and efficient security provisioning of business applications
• Application, security and operations teams are aligned
• Secure decommissioning of applications; removing rules no longer in use
• No application outages due to firewall misconfigurations
• View of risk from the application perspective
16
If you have made this far you should enjoy…
1. Improved application availability – even during a data center migration
2. Faster service delivery
3. Alignment across IT, security and the business
4. Tighter security policies to improve defense against cyber-attacks
5. More time, resources and budget to focus on strategic initiatives
17
Business Applications
Security Infrastructure
Managing Security at the Speed of Business
20
AlgoSec Security Management Suite
Application Owners Security Network Operations
Faster Security Provisioning for Business Applications
Align Teams for Improved Agility and Accountability
Gain Total Visibility and Control of your Security Policy
Firewall Analyzer
Security Policy Analysis & Audit
FireFlow
Security Policy Change Automation
BusinessFlow
Business Application Connectivity Mgmt
Business Applications
Security Infrastructure
The AlgoSec Suite
21
Application Owners
AlgoSec Security Management Suite
Security Network Operations
Q&A and Next Steps
Download the Security Policy Management Maturity Model @ www.algosec.com/maturitymodel
Download the Security Change Management ebook @ www.algosec.com/securitychanges_ebook
Evaluate the AlgoSec Security Management Suite @ www.algosec.com/eval
22
Connect with AlgoSec on:
www.AlgoSec.com
Managing Security at the Speed of Business