In previous posts I have explained what Security Policy Orchestration is, why DevOps folks should care, and how it can help facilitate the cultural change necessary for organizations to reap the long-term benefits of the cloud and virtualization. In this post, I’ll provide a few examples of how Security Policy Orchestration can create some “quick wins” – wins that create common ground between Security, Dev and Ops, and set the stage for higher profile wins with significant business impact.
As infrastructure becomes increasingly complex it gets harder to decipher. In software we call this Readability – it determines our ability to support the code over time and to ensure security. The same concept applies to networks – the more complex they are, the harder it is to use them, maintain them and ensure security.
The primary value of Security Policy Orchestration is providing a holistic view of the infrastructure. It “sees” the entire network and creates an index, which enables network administrators to perform quick queries across their environment providing “needle-in-a-haystack” search capabilities. While it might seem obvious, gaining visibility into the environment is a very powerful tool that can deliver huge benefits, especially when the environment is complex and subject to constant changes.
Let me give you a few use cases:
Audits: As my security brethren know, preparing for an audit can take weeks (if not months). However, once the network infrastructure is indexed, meaning you have structured records of the network elements (devices, interfaces, routes, security rules…), the kind of documentation required for security audits for PCI, SOX, NERC, and other regulations is literally a few mouse clicks away. Imagine finding all applications flows involved in a PCI flow in one click, or, even better, through a REST API call.
Many of Tufin’s large enterprise customers report that their internal audit requirements are more stringent and time consuming than external compliance mandates, and require customized reporting, which they often have to script themselves. Policy Orchestration solutions enable them to be much more agile – to the point where security no longer becomes a “showstopper.“
A successful and effective audit (one that actually improves security) requires a collaborative approach across Dev and infrastructure – having the needed data at hand ensures agility, which is crucial for embedding this into the continuous process.
Server Migration: Many enterprises and service providers are currently tasked with server migrations to virtual data centers or cloud environments. The challenge they face is identifying the talkers, connections and protocols that are needed to maintain connectivity and business continuity. Firewall policies are often the best place to find this information because their important role in “attaching applications to the network”. However, it’s a labor intense task. Even if you have only 10 firewalls, with a few hundred rules and a thousand objects, identifying the flows is going to take a while. Now multiply that by 100 migrations per month – it’s virtually impossible.
However, once you automate the process, it becomes quite easy. With change automation in place, all you have to do is click “Find”, or, even better, call an API, and you will know the flows immediately.
Application Deployment: As most DevOps.com readers are (likely) well aware, when an Application team needs a connection opened to say, an LDAP database, they open a ticket with a business request: “I need to connect server A to LDAP database B.”
It’s the network guy (or gals) job to translate that request into a set of IP addresses that plot a secure, efficient network path that connects the database to the application. A week or so later, the requisite changes are made, and voilà, the application can leverage the LDAP database. Or not, and then the network team needs to re-trace its steps and figure out what the problem is.
The above process, in many organizations, is a loose one, usually conducted via email, and between people who don’t often traverse the same orbit.
Add human error into the equation – a mistyped or incorrectly documented IP address, and you end up with re-dos, which everyone hates because they are time consuming and in complex network environments can be impossible to trouble shoot manually.
Ask any network manager – reducing (if not eliminating) re-do’s is an impressive feat that offers substantial efficiency gains. It’s also worth noting that without automation it is really, really hard to properly risk assess proposed changes. In worst-case scenarios, an insecure network connection becomes apparent after something bad has happened. But why wait for something bad to happen before innovating? Bring security into your next network virtualization initiative at its onset – I promise you, you won’t be sorry.
DevOps folks are likely familiar with the idea of abstraction, but it is still a relatively new concept in network security circles. When applied to network change management, Abstraction separates business logic from the technology underpinnings of network infrastructure, and allows Operations teams to translate higher-level application language into terms they can use to enable underlying network services. In scenarios like the above, the ability to automate this process can not only deliver huge efficiencies and create a much more collaborative dynamic between application, network and security teams.
Hopefully, these examples build the case for how Security Policy Orchestration can be leveraged to deliver some quick wins. Of course, organizations that commit to deeper and wider change reap greater benefits. However, as my Co-founder, Tufin CEO Ruvi Kitov likes to say, you have to crawl before you walk, and walk before you run. So in my next post, I’m going to explore why security people are so weary of automation, and how to get around that, in hopes that Security, Dev and Ops teams can all walk together.
