Subscribe
About

Policy accumulation and complexity creep

Companies struggle to respond effectively to the changing threat landscape.

Perry Hutton
By Perry Hutton, regional director of Fortinet for Africa.
Johannesburg, 11 Jul 2013

The world has become a mass of users that expect to gain access across a range of devices and network connections instantly. Remote working blurs the line between the workplace and home life, with access any time from anywhere being expected. Access to everything, by everyone, from everywhere - all of it securely?

In a world that demands a secure business-computing environment, but insists on ubiquitous connectivity, piecemeal solutions proliferate. However, solving today's problem in this way will create tomorrow's nightmare.

Of course, this evolution hasn't occurred via a series of carefully planned steps. Instead, the speed and variety of change has taken many IT managers by surprise. Reacting to these events has created a multitude of solutions to address the emerging, or expected, problems.

Fragmented

It seems as though every new vulnerability creates an opportunity for a new solution, and every new solution creates an opportunity for a new vulnerability. The result can be chaotic with mismatched, overlapping technologies, and a raft of hastily assembled rules and policies. All of this created in the hope that each will work together in defence of the network and support the business expected to fund this effort. It is the very antithesis of 'holistic'.

Unfortunately, today's reality sees the network management of most organisations struggling to accomplish a truly secure unified access. The escalating number and complexity of security technologies, rules and policies accumulated over time, means many organisations are unable to respond effectively to the changing threat landscape.

The piecemeal approach is leaving organisations ever more vulnerable as rules are constantly added to security devices (but seldom removed), resulting in a complexity that is spiralling out of control. Administrators find it increasingly challenging to understand the security regime they are implementing, and are under impossible time pressures to troubleshoot emerging problems. Within this chaos, the risk is that security holes are opening up.

So, the answer to complexity is not more complexity; the answer is simplification. But where does a business start in untangling the mess and implementing a logical, manageable, sensible and secure solution to policy accumulation?

Converge and conquer

Managing a large estate of specialised security devices from many different manufacturers is a sure-fire way of multiplying the number of active security policies. In contrast, deploying a suite of complementary systems from the same vendor reduces operating costs by enabling easier and more responsive management with less policies, higher performance and better overall security. It also enables network access policies to be integrated with all other security policies. A single operating system across devices obviously will be a major benefit to simplifying the management process.

Simplifying security policies is further challenged by the introduction of application-aware security, a key tenet of next-generation firewall technology. So, it is important to apply an application-awareness policy to individual user IDs in one place, and to enforce it throughout the network and across network security functions.

The answer to complexity is not more complexity; the answer is simplification.

Indeed, even though the granularity that arises from running distinct security policies according to each different authentication environment may seem a bonus, it can be burdensome to security management. But granularity need not be sacrificed and security management can be simplified by the use of obvious tactics such as single sign-on, which conveniently retains context about the user's location or device.

With this approach to policy enforcement at a unified entry point onto the wired/wireless network, all policies can be determined according to user ID, device type and location.

Runaway policy accumulation will invariably occur where artificial or technology-dictated solutions to wired and wireless network access become entirely separated for management purposes. Where both co-exist, wireless is typically the more dynamic environment, with similar levels of traffic as the wired infrastructure. For easier oversight as well as simplified monitoring and compliance, a unified wired and wireless policy will ensure simplicity, while still offering both visibility and control.

Ultimately, organisations need to make smart, simple policies and reduce the decision-making process. Of course they still have a policy set to be concerned about - but that one is much easier to handle. Don't press on with a flawed strategy and an increasingly disparate security infrastructure loosely controlled by myriad policies - many of which may contradict each other. Untangle the solution and simplify it. Don't let policy accumulation and complexity creep become a part of the problem.

And always keep in mind that making the simple complicated is commonplace; but making the complicated simple is ingenuity.

Share