Fuel recently presented, “How to Expand Your Network Security Policy from Next-Gen Firewalls to Cloud Instances,” hosted by Ofer Or, vice president of products at Tufin. Here, Ofer dives deeper on some of his key takeaways and gives advice on what security professionals can do to make sure their networks are always secure.
During the webinar, you talked about four main challenges that security professionals face today (Security Visibility Challenge; The Automation Challenge; The Heterogeneous Network Challenge; and The Application Challenge). Can you talk about these a little more and give a recommendation on how professionals can work through these challenges successfully?
Many security managers lack an accurate view of their network security posture. The number and diversity (old and new) of security technologies running in the network make it hard to understand what the current security posture is and how it compares to the desired security level. Without visibility, there is no way to analyze and enforce cyber-resilience and regulatory compliance. There’s also no way to plan changes and troubleshoot connectivity issues. The way to address this challenge is by using a single console with unified management for the different vendors and platforms.
When working with a diversity of security systems, manual changes are time consuming and error prone. Automation is a clear need for keeping up with business agility and avoiding human errors, but automation in itself may still introduce security risks when used with no control. To maintain control and align changes with the security and compliance policies of the organization, I recommend automating changes while doing risk analysis, accurate change planning and implementation verification.
Enterprises are expanding their network beyond physical infrastructure and investing more and more in cloud (private and public clouds) and SDN technologies. Security enforcement becomes more challenging because these technologies introduce a new security models (for example: security groups and micro segmentation vs. firewall rules and ACLs). This becomes especially challenging for managing the connectivity and security of applications that span across physical infrastructure and hybrid cloud. My recommendation would be to leverage an abstraction layer that hides the complexity of the different models, allowing you to manage security policy and connectivity across heterogeneous environments from a single console.
Finally, many security professionals are tasked with supporting application connectivity requirements without really understanding how they translate to network security policy. A high-level abstraction layer that translates application connectivity requirements into network and security policy change can clarify the impact of application connectivity needs on the network. Similarly, it can clarify the impact of network security changes on mission critical applications.
What do you think is the biggest error security professionals make as they work to move applications to the cloud?
To start with, I believe having security professionals involved in transitioning applications to the cloud is extremely important. In many cloud migration projects, the security team is the last to be involved. Once security professionals are part of the transition, they should make sure they understand the application connectivity requirements and make sure that the new deployment maintains these connections while assuring security and compliance are not compromised.
One of your key pieces of advice during the webinar was for security professionals to think about how they want their network to work and then compare that to what is in place. Why is that important and how often should they be doing that?
Identifying the gaps between the desired security policy and the actual security policy is the first step in truly understanding your organization’s security posture. Many security professionals do periodic reviews to try to identify these gaps. The problem with doing a periodic review is that because of the ongoing changes happening to the network, the review results become obsolete the moment the review is over. The best approach is to do ongoing checks that assess any network and security change and compare it to the desired policy as part of the change process. This way, you can make sure that any change that violates the organization’s desired policy is fully reviewed, approved and documented.
How has the security industry evolved since you began your career?
I began my career in the security industry in the late 1990s. In those days, people didn’t really understand the cybersecurity risks, the security folks were those weird guys from IT and having a firewall and an anti-virus meant you were secured. The organization’s boundaries were clear and defining a security policy was relatively simple.
Today, cybersecurity awareness is everywhere. Cyber-attacks are happening on a regular basis and are discussed in boardrooms and C-level executives. Newspapers everywhere are posting cyber-attacks stories on the front pages, and even my parents are aware of cybersecurity threats. Staying secure now involves multiple technologies for detection, prevention, analysis, orchestration and more. The mobile evolutions and BYOD trends make organization’s boundaries ever-changing and increase the organization’s attack surface.
Despite the huge evolution in the security industry, some things remain the same. To be better secured, you need visibility and control across your networks, your security technologies and your applications. Basic security concepts like segmentation have evolved into things like micro or nano-segmentation, but the concepts remain the same.
What is your advice on how professionals can stay abreast of the constant changes that happen in throughout all aspects of the security field?
I keep up to date with media and analyst publications, as well as industry events. Your colleagues and peers are also a great source of information. You are not alone and many of the problems you’re facing today are problems facing your colleagues and peers. Talking and exchanging ideas is probably the best way to collectively learn from each other’s experience.