‘Have IT your way’: How network security should be like ordering a burger

Joe DiPietro at AlgoSec explores how businesses can improve the IT security/application delivery relationship – by following the example of fast food restaurants.

  • Tuesday, 28th June 2016 Posted 8 years ago in by Phil Alsop
Fast food restaurants are one of modern marketing’s great success stories. With systems honed over decades, the best chains demonstrate remarkably efficient processes, going from customer order to handing over the finished meal in a matter of minutes. Crucially, this automation goes hand in hand with personal, bespoke touches – from the smiling cashier to the option to, as Burger King once announced, ‘have it your way’. No lettice? Extra sauce? No problem.

But while Burger King may have updated its slogan to a more lifestyle-friendly ‘Be Your Way’, the underlying message still stands. Order a burger, and they will deliver it exactly as you want it – while still following a standard, automated, quality and highly efficient process.
Two elements, therefore, work together to make fast food chains so successful. The customizable order – choose exactly what you want, albeit from a set menu of options – and the automated process – a standardized system designed to fulfil every order as quickly and accurately as possible.

It is a model that businesses would do well to emulate when it comes to provisioning application connectivity and network security. Here, harmonizing the bespoke and the automatic – introducing a standardized, technology-driven change process while still adapting to each individual scenario and change request – delivers greater efficiency, fewer errors and outages, and an improved relationship between the security, network and application delivery teams.

The Status Quo
But while this sounds fairly straightforward it’s a process that continues to be challenging for IT teams. Let’s take a look at the current method for provisioning application connectivity and network security and the challenges organizations face in achieving the finely tuned processes that the fast food industry has been delivering for decades.
 
Most security teams follow a similar process when the application delivery team requests a change. First they note the application delivery team’s request. Then they determine which devices are in the path of the change, and then identify the security rules that need altering in order to support the change. And finally they make the necessary changes.  Sounds just like ordering your favorite meal combo, #3 doesn’t it?
But while in theory this sounds pretty straightforward, in practice it’s a lot more complicated. For starters the application delivery guys’ talk in their own application-centric language like .net, java, app and database servers while the security guys understand security ‘speak’ – IP addresses, ports and protocols. As a result, application delivery requests often get ‘lost in translation’.
Second, most enterprise customers have thousands of firewall rules in place on their corporate networks (recently, a prospect told me that they had over two million rules!), making it difficult for the security team to wade through and figure out what to change and how, when implementing a request from the application delivery team.
Third, making changes is risky – a change can inadvertently cause an outage, create a security hole, or a compliance violation. You need to assess the impact of a change before you make it.
So how can a ‘fast food’ model for handing application connectivity changes help?
Choosing from the menu
The process at the fast food restaurant is typically as follows: a customer choses what they want from the menu. “I’ll have a number 3, with Coke, large fries and extra sauce on the burger, please.” The cashier then keys the order into the cash register, which then ‘translates’ it into a work order for the kitchen staff. 
 
The same process should apply when the application delivery team requests a change: the application delivery team makes a request for connectivity between application X and database server Y using MS SQL, which is keyed into the security policy management solution. The security policy management solution then automatically translates it into the right terms for the networking team (i.e. source, destination and service). 
 
Assessing the risk
Next, the cashier takes your credit card and swipes it. In a fraction of a second, the restaurant verifies that it has all the ingredients to provide the meal being purchased, while the bank assures the restaurant that it can be paid for – so there is no risk involved in the transaction. All this happens automatically and quickly so that the next customer waiting in line isn’t held up.
For the IT security team, this is the equivalent of assessing the risk of a proposed rule change. Will it allow risky traffic, create a security hole, violate PCI requirements? If so, the request must be altered. If not, it can be approved for implementation. The security policy management solution should have the visibility and ability to automatically assess the impact and risk of every change before it is implemented.
Preparing your Meal
The next stage in the process is to prepare and assemble the meal.
For the IT security team this means creating an efficient workflow that properly handles the process of making the change. The first, “preparation”, step is to identify all the ‘ingredients’ – the firewall and router devices in the path that require a security policy change to satisfy the application change request. This is no easy feat, even for small and medium networks, let alone Fortune 500 customers, and it can take many hours to complete manually. However a security policy management solution will do this automatically.
 
Once the devices have been identified, we can then start to “assemble” the meal. This means identifying which rules need to be added, or how they need to be modified, and where they should be inserted, and then automatically implementing the changes onto the relevant devices.  Again, since most large organizations have thousands of firewall rules this process can be an extremely time consuming and complex – unless you use a security policy management solution, such as AlgoSec’s, to do this automatically.
 
The final check
At the end of the process the food is bagged and the cashier does a final check to make sure the order is right. Extra sauce? Check. Coca Cola? Check. Large Fries? Check.
Again, this final verification check should be performed automatically by the security policy management solution to ensure that everything the original stakeholders’ requested has been implemented correctly and completely.  This means that no unexpected outcomes have jeopardized the business’s security posture like adding “any” service vs the original “MS SQL” request which would allow application X to access the database server Y with all protocols. This would be a huge security risk!
Having it your way
By using a security policy automation solution, organizations can remedy many of the pain points that exist between application, network and security teams, to transform security policy change management into a streamlined process that resembles the production line at fast food restaurant, enabling everyone to have it their way, while transforming the business to become more competitive.