End compliance and rules-based security spaghetti

Aminzade: Use your security noodle to get ahead, or take a nap

Three years ago I bought a house in southern Italy. Since then I have been trying to immerse myself in the local culture.

And, believe it or not, I have discovered many similarities between Italy and the challenges faced by security professionals.

For instance, a rule base that has evolved over several years with several vendors’ products and many different security administrators will certainly resemble spaghetti.

When you start pulling on one end you never know what will happen.

Security staff must understand which rules are most used, ensuring a close match between rule ranking and rule use. This is even more so when unused rules and shadowed rules can be clearly identified.

Such classes of rules only add complexity, degrade performance and boost business continuity risk.

In the south of Italy, traffic laws (which by the way are still in the Italian criminal rather than civil code) appear to be mere suggestions – that can be adhered to or ignored depending on the situation.

It is often the same when people are writing or changing IT security rules. We all know that we should include a comment or a clean-up rule but sometimes expediency tempts us to skim past these good practices.

Increasing compliance requirements, such as internal audit reviews, external audit demands such as Sarbanes-Oxley (SOX) or Basel II or industry-specific requirements such as PCI-DSS, are far more costly if IT practices have been undisciplined.

It is of little use spending money to optimise your firewall infrastructure and enable automatic compliance if you do not deal with or stop subsequent non-compliance.

The ability to flag non-compliance to the relevant manager protects your investment, maintains your firewall estate’s performance and ensures cost-free ongoing compliance.

One local Italian habit that I have taken most easily to is sleeping in the afternoon. The opportunity to wind down and take a nap after a nice lunch is a great way to recharge your batteries.

I think this should be a criterion for any new security investment. Ask: ‘Would this new investment let me take a nap in the afternoon?’

It is clear that companies want to remove cost from their firewall administration while adding performance.

Ever-increasing compliance demands must be automated and assured. To ensure ongoing opex reduction and operational efficiency, rule changes should be assessed against and internal or external best practice standard automatically and violations flagged to those responsible.

Ciao, amici.

David Aminzade is regional director at Tufin Technologies