Most companies rely on firewalls – as a basic element of network security to control access to users and application resources to protect the business – but the IT landscape is changing and so must approaches to security. Is there a silver bullet?
The adoption of cloud-based services, advances in next-generation firewall technology, pressures to extend the life of existing firewalls and requirements for tighter compliance with regulatory mandates is challenging even the best security teams.
Not so long ago, firewalls were straightforward and could be managed by IT security teams with tools from the supplier and simple text files. But this is a highly error-prone approach in today’s environment of cloud-based applications, datacentre virtualisation and compliance requirements.
There are several key reasons things must change and why the adoption of web-based services has changed how firewalls need to work, said Michael Hamelin, chief security architect at Tufin Technologies.
Granular security and virtualisation
First, cloud-based services require application awareness in firewall rules. “For instance, many organisations use cloud-based services such as Facebook, Google, LinkedIn or Salesforce.com for important business, but these services are not simple sites as they may deliver a mix of hundreds of personal-use and business applications,” Hamelin said.
Most organisations cannot block or restrict traffic for the entire site, preferring to apply a more granular security policy to applications and users. Security teams are now bringing in next-generation firewalls to meet demand for application-level network security. Manual management of much more granular polices is simply not scalable.
Second, the application agility provided by virtualisation technology accelerates the rate of change in firewall rules, said Hamelin. “Applications that used to take weeks to provision in a physical environment are now up and running on a virtual server in a matter of minutes,” he said.
In addition, firewalls themselves are being virtualised, with security having to manage multiple rule sets across firewall virtual machines. The complexity in network security, due to applications launching at the speed of business, underscores the need for automated checking and auditing of changes to firewall rules, said Hamelin.
Could automation prove the silver bullet to complex network security?
Hamelin believes a long-term effect of compliance is that firewall management is now maturing as standard network security operations. A large part of compliance is about managing the existing infrastructure, with change controls, documented audit trails and segregation of un-authorised users from regulated applications, he said.
“Meeting compliance expectations without increasing administrative burdens is a large requirement for utilising cloud-based services and virtualised applications,” he said.
Security operations teams are learning to adjust to the fact that new and improved technologies bring new and improved challenges. According to Hamelin, in the case of security, they are almost always a function of risk and complexity.
“In other words, there are more of both, and that is why automation matters. But the fortunately, the industry is keeping pace, so that automation exists to account for the increased complexity that is introduced by game-changing technologies,” he said.
Automation the security silver lining in complex environments
Automation can be used to maintain visibility and control over network security operations in virtual environments in several ways, said Hamelin.
IT security teams can automate checking of suggested firewall rule changes to ensure the network does not slip out of compliance. This is especially true in virtual environments, said Hamelin, as applications and desktops appear on servers, requiring resources, after the firewall rules are updated. “It may not be obvious that the rule change breaks security policy until after the app executes,” he said.
IT security teams can also automate job ticket workflow to: ensure security, server and network teams remain in synchronisation as firewall rules change; automate coordination of firewall rules with switches and routers to ensure performance and security coverage; and automate network compliance auditing to save time and money.
“Automating networking compliance audition is also smart business. As organisations move data and processing to the cloud, they are still accountable to compliance mandates for controlled access, application segregation and critical data protection,” said Hamelin.
While so-called disruptive technologies bring their own sets of business risks along with the advantages, Hamelin believes the pace of security automation is, for the most part, keeping up with the rate of change to enterprise environments.
Firewall management software provides the essential capability to secure the business, while allowing IT to evolve the firewall infrastructure, embrace virtualisation and cloud services, satisfy compliance mandates and automate tasks to reduce operating costs, he said.
“Automation might not be a silver bullet, but when it comes to managing the extra complexity that comes with virtualised environments, it can be a silver lining,” said Hamelin.