Enterprise security rarely ranks in the top ten favourite programming related disciplines for many software application developers who simply want to build, construct, enhance and deploy as their main priority goals.
But where vulnerabilities are locked down, Security Policy Management (SPM) company Tufin argues that not every enterprise eco-system needs to be so complex that application deployment is rendered impossible.
The firm insists that tackling the challenge of data risk with an application-centric approach and, particularly, the being able to juggle the conundrum of firewall management is the way forward.
Tufin cites a recent survey (presumably its own), which showed that nearly half of all firewall changes are related to application connectivity.
The undeniable truth is that today’s applications have distributed architectures involving multiple servers and communication protocols — and this means that they (typically) support a variety of user roles with different permissions and restrictions.
Another hard truth to swallow is then that setting up the network is now one of the more time-consuming and error-prone aspects of application deployment.
The following text is contributed by Jon Miles, regional manager at Tufin and member of the Tufin blogger team as a guest post to the Computer Weekly Developer Network.
When a new application is being deployed the first problem to be encountered is connectivity, updating access to servers and other components and negotiating individual rules for every firewall on the network and obtaining access.
This can be a nightmare.
The problem for the application owner – which is then handed on to the developer – is that organisations may now have dozens of firewalls and routers with security policies distributed across the whole of the enterprise – and often across multiple sites. The network topology is exceptionally complex, firewall policies include hundreds of rules and the distributed nature of enterprise architectures means that every application can have a different network requirement.
Application owners don’t have the answers that the Firewall admins need, so it often means that it is down to the developers to work with the firewall team to enable the applications to be deployed. This means that when things do go wrong the application owner is extremely reliant upon the enterprise security teams to find the correlation between the firewall policies and the application. This can mean major delays in the deployment of the application for the source of the problem is found. It was clear that in order to meet the changing demands of the chief information officer in this increasingly complex infrastructure a new approach was needed.
A new approach
This new approach to making application changes – such as migrating or decommissioning a server – is now easy. Developers simply change the IP address of the server, automatically generating a change ticket. The system then continues the automated process by identifying the relevant rules and designing the required changes. This approach improves visibility with clear, accurate documentation of the connectivity requirements for every application and business service.
Once an application is defined and the tickets are implemented, the developer sees a continuously displayed connectivity status. Developers deploying an application, or the IT team doing it for them, take advantage of advanced technologies including Network Topology Intelligence and in-depth Policy Analysis to monitor security policy revisions in real-time and are alerted to changes that could impact application availability.
When it is time to decommission an application the policy rules that need to be changed or removed can be identified automatically across all affected firewalls and routers, eliminating unneeded access that can lead to a breach or a compliance violation. No more mistake-laden spreadsheets!
It is now possible for application teams and network teams to communicate accurately, eliminating the misunderstandings that lead to errors and wasted time.