For many security professionals, time to focus on a strategic security strategy can feel like an elusive “luxury” as hours are consumed with manual tasks or requirements. Whether determining how to overcome the security skills shortage or ensuring consistent security policies across multiple vendors and technologies, the day-to-day tasks add up and the hours slip away. It can be frustrating.
One of the significant obligations of security teams is the need to prove and maintain business or industry compliance. When you frame compliance in terms of access and network security policies and how they are managed, it’s important to understand the fundamentals upon which decisions need to be made:
- What is driving the compliance requirement?
- How should the compliance standard be interpreted?
- What’s required to prove compliance and how to ensure compliance through the year?
- How do I maintain continuous compliance in a changing technology landscape?
After assessing the cornerstones of your compliance requirements, it’s critical to understand how these apply to your organization. For most enterprises, maintaining and controlling a secure compliance posture involves hybrid and fragmented networks where standards must be enforced across apps and workloads (e.g., containers, serverless functions), public, private and multi-cloud environments, as well as network platforms and infrastructure devices (e.g., multi-vendor firewalls, routers, SDN environments, etc.). Without a view of “what talks to what and who talks to whom,” security teams can spend countless hours configuring security rules across disparate interfaces and configuration points. Even after gaining visibility, the actions required to maintain compliance can become all-consuming.
When you start to automate the provisioning, approvals and enforcement of security policies in accordance with business or industry compliance requirements, you start to see the real power of automation. Decision-making can be automated to allow network or access changes in accordance to defined security policies. In this way you can ensure these changes are compliant with whatever security standard you need to comply with before implementing the change. Some security policy management providers even offer out-of-the-box template for regulatory standards such as PCI-DSS, HIPAA, GDPR, NIST, NERC CIP, ECB and more. While these may be customized, they provide a significant advantage in ensuring policies are compliant and aligned across on-prem, cloud and multi-cloud environments.
So, how does automating security policy management help you address compliance challenges?
Automation can simplify audit preparation and reporting
While visibility across your heterogenous network may start with a topology map of access and connectivity, it can be extended to see all changes that occur across your environment. With the introduction of automation, granular audit trails for access, rule, or policy changes help drive ad-hoc compliance analysis and a view into remediation trends. Thanks to automation, TransUnion is automatically generating a report instead of spending 20-24 hours per audit. Monext claims to have cut their audit time in half.
Automation can monitor and control your security compliance posture
After implementing security policies in accordance with requirements, the monitoring of changes becomes key to continuous compliance. Defined security policies become the standard against which decisions are made.
Let’s say access to your financial reporting tool is requested by a member of your finance team. If your policies indicate that access is compliant based on identity, role, location, of other characteristic, the approval can be automated. (And, if integrated with your ITSM, the change can be processed immediately.) However, if you would like to review all access requests to the finance reporting tool, the request can be flagged for manual review. The inherent flexibility can maintain the defined security posture without forgoing the efficiency that comes with automating repetitive tasks.
For one of the world’s largest banking organizations, automation helped them prepare for audits by to performing daily rules reviews against their risk standards. The reduction of backlog from up to 12 months to a single day seems almost inconceivable. (Yes, a whole year of time saved!)
Automation can ensure continuous compliance across multi-vendor, hybrid environments
Once compliance is established and monitoring is in place, security teams want to ensure their security guardrails extend beyond current environments to include future technology choices. Whether those choices involve network controls, apps, or workloads across on-prem, hybrid or cloud, centralized visibility and control of security policies can help maintain a compliant security posture based on defined policies and workflows—for today and tomorrow.
While security will never become “set and forget”, working with a security policy management solution can help security teams manage the complexity of compliance across heterogenous environments. Monext, for example, was able to reduce complexity, audit efforts and the number of firewall rules (by up to 20%) within only 3 months.
The automation of security policies is long overdue. Not only can it assist security teams in regaining control of redundant tasks, ensuring compliance and ensuring the secure adoption of new technologies, it provides the opportunity to focus on strategic initiatives to keep the enterprise more secure.
Security Automation series authored by Ofer Or, VP of Products, Tufin
As Vice President of Products, Ofer Or is responsible for leading Tufin’s product strategy. With over 20 years of experience in high-tech and network security, Ofer has an extensive background in developing innovative products which have had a profound market impact. Previously, Ofer served as Director of Research & Strategy at Tufin.