Is having a security policy in place nine-tenths of the law?
Is having a security policy in place nine-tenths of the law?

Most large organizations maintain a detailed corporate security policy document that spells out the “dos and don'ts” of information security.  Once the policy is in place, the feeling is of having achieved “nine-tenths of the law,” that is, that the organization is in effect “covered.”  This is a dangerous misconception. Because much like in the world of law and order, while creation of law is fundamental, implementation and enforcement of law is what prevents chaos.

Policy ignorance doesn't exempt
Recent studies have shown that most employees, including IT staff, are often unaware of corporate security directives or even tend to ignore them. Ignorance of corporate policy or simple inability to implement and enforce it can leave networks wide open to major security breaches. This is not only costly to fix, but can also ruin a company's reputation. Allowing the security policy become a white elephant is just not an option.   

This is easier said than done. For security administrators, implementing the corporate policy on the ground is a complex and extremely time-consuming job. It starts with translating the guidelines into hundreds and even thousands of rules on a multitude of security devices. Dozens of configuration change requests come in every day, and administrators are required to manually check every one to make sure they don't break the corporate policy.

It's not surprising, therefore, that IT managers ignore policy directives that make the difficult job of implementing change requests even more difficult.  A conscious decision may not have been involved; the security managers may simply be unaware that a certain configuration change is against the policy and there is nobody around to sound the sirens. This results in major differences between the corporate policy and the actual security setup on the ground, and it's no simple task for security officers and auditors to bridge the gap.

“We have more than 100 firewalls around the world,” says Eli Beker, Security Officer at Comverse, a leading provider of software and systems for communications service providers. “Every day, several different teams of outsourced firewall administrators handle a list of dozens of change requests. Making sure our corporate security policy is followed can be like chasing a moving target.”

Enforcement difficulty
Beker is not alone. Corporate security officers today are coping with a growing list of challenges that make it harder to get their jobs done. Here are a few examples:

  • Security risks. Because reviewing firewall rules is such a labor-intensive and time consuming job, most companies do it only periodically. This means that there is a lag between the implementation of policy and verification, meanwhile leaving the door wide open to security attacks. Administrators must find a way to become proactive – to identify and fix security holes as soon as they occur.
  • Business continuity. Firewalls today do not only stop intruders, they govern access to external resources such as banking services, newsfeeds and disaster recovery. This external access is typically governed by creating firewall and VPN rules. When a security administrator implements a new configuration change to the firewall, there is a risk of shadowing those special rules and causing outages to business continuity. Downtime to critical information sources can cause serious financial damage and loss of reputation.
  • Many administrators on different sites. Global organizations employ diverse teams -- with different working cultures and skill sets -- in multiple time zones. Somewhere, in one of your branch offices, it's the end of the day and a tired administrator, anxious to get home, is rushing through a change or putting it off until Monday. Security officers need a way to standardize policies so that they are implemented in the same way on every site.
  • Regulatory compliance. Most organizations are required to comply with one or more government or industry standards (SOX, PCI-DSS, HIPAA, etc.) Audits are usually performed at the end of the quarter, with auditors combing through thousands of changes looking for anomalies. This process is a huge drain on resources.
  • Multi-vendor environments. As a result of consolidation, mergers and acquisitions, and technology upgrades, many organizations cope with multi-vendor environments with different types of rule-bases and management tools. Executives, auditors and regulators lack a top-down view that shows whether the corporate meta-policy is being enforced, regardless of the specific platform.

Automated solutions
Given the scope and complexity of network security operations today, it is clear that while most security administrators have the best of intentions, manual policy analysis and periodical audits is neither efficient nor effective. And it is also more expensive: administrators are spending more and more of their time on manual, repetitive tasks rather than on strategic objectives.

By empowering continuous policy enforcement, automated solutions can transform the audit process into a routine report that demonstrates compliance with regulations. In addition to removing a significant security risk, automated solutions also result in a substantial savings of time and resources, since security teams often spend weeks preparing for and following up on external audits.