Security Is from Mars, Application Delivery Is from Venus

Thursday, July 14, 2016

Nimmy Reichenberg


Men Are from Mars, Women Are from Venusby John Gray was one of the best-selling nonfiction books of the 1990s. Its asserts that men and women essentially come from different ‘planets’, and need to seek out greater understanding of each other’s wants, needs and ways of thinking in order to cooperate better in relationships. In addition to providing great advice for romantic partners, I think it can also offer some important lessons to the world of corporate IT.

Let’s take a look at one of the book’s key sentences: ‘If I seek to fulfil my own needs at the expense of my partner, we are sure to experience unhappiness, resentment and conflict.’ This could easily refer to the relationship in most businesses between the security team and the application delivery team - they are key business partners and they need to work together for the organization to run smoothly.

Yet their relationship is all too often characterized by a lack of communication and cooperation. To solve this problem, we need to carefully examine what each side of the partnership wants from the other – and then, how to fulfil those needs.

So, what does security want from application delivery?

Broadly, there are three main things that security teams want from application delivery teams:

  • Clarity of business needs.Security wants application delivery to tell them what they want in terms of security and connectivity and they want them to tell them in advance. Crucially, these requirements need to be communicated in a language that the security team actually understands and can implement.
  • Visibility of business needs. Security wants to understand what application delivery is working on, how those applications need to communicate with each other, and how they might put the overall network and data at risk.
  • Assurance. Whenever the application delivery team is making or requesting changes to network access, the security team needs to make sure that these change don’t cause any additional risk. So the security team wants assurance that (a) the connectivity requested is secure; (b) that this connectivity is compliant; and (c)that good governance is being supported, with a clear record of who did what, when, where and why, so that if an auditor comes along, we have answers to all these questions.

What does application delivery want from security?

There are three key things the application delivery team wants from the security team:

  • Agility. The number one complaint we hear from app delivery teams in regard to IT security is that they want things done now. Yet it often takes days, or even weeks, for crucial network changes to be processed by security.
  • Availability of services.Nothing frustrates the application delivery team more than when the security team creates an outage due to, for example, a firewall misconfiguration – they want their applications up and running now.
  • Impact analysis ahead of changes being made. If a security policy change is going to slow down, or bring down an application, the delivery team wants to know about it in advance, so it can make the relevant adjustments.

How are we doing now?

Unfortunately, as in any relationship, neither side always gets exactly what it wants. One of the most common complaints about the application delivery team’s requests of the security team combines lack of clarity with unrealistic expectations: ‘You don’t know what ports you need open and for which IPs, but you need it by yesterday?’ And things aren’t any better for the application delivery team. On their side, the most commonly heard complaints relate to repeated availability problems: ‘The new firewall policy is blocking my application – for the third time this week!

Statistics to support these complaints range from Gartner’s discovery that 99% of firewall breaches are the result of misconfigurations, rather than flaws, to our own survey results(PDF), whereby we discovered that eight out of 10 organizations suffered an outage from a misconfigured firewall rule.

A Cloudy Future

Migrating to cloud and SDN environments is adding even more stress to this relationship. In the cloud, a server can be set up practically instantaneously – which means that security teams are expected to processing network changes at the same ‘speed of cloud’. From a security perspective however there is limited visibility and control at to what goes on in the cloud. Additionally, there are now various cloud security tools available to non-security teams, which application delivery teams can tinker with in a way they can’t in an on-premise environment. No application delivery professional would ever think of buying and installing a firewall on premise, but they might consider implementing cloud-provided security groups, and this may well upset the IT security team.

Aligning the stars

Now, more than ever then, it’s vital that organizations work to bring security and application delivery closer together.

First, businesses need complete, continually updated visibility of connectivity requirements across their entire environment - on premise and cloud. This requires a single pane of glass through which both teams can see what the other has, what is needed, and to check that everything is enabled, operational and secure at all times. Such visibility allows the two teams to speak the same language, to use terminology that effectively communicates their needs and requests to the opposite side.

Second, security teams need to embrace automation when it comes to change processes. This is the only way to deliver the accuracy and agility that application delivery needs, and as cloud and SDN environments become more commonplace, it’s becoming increasingly urgent.

Third, security teams need to take a proactive approach to risk analysis, as well as analyze and effectively communicate risk from the business application perspective to all the stakeholders in terms that they understand.

Fourth, security teams need to ensure continuous compliance. Today, when network changes are happening at breakneck speed, a twelve month compliance cycle no longer works. Therefore you need to proactively ensure compliance every single time a network change is made.

How do we achieve all this?  Security policy management supports all these needs, delivering a single version of the truth coupled with intelligent automation that is so crucial if security and application delivery are to work together effectively.  After all, we all live on the same planet and should live together in harmony. 

Possibly Related Articles:
Enterprise Security Policy
Compliance security policy application delivery proactive defense
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked