Algosec how to avoid business outages from misconfigured devices final
-
Upload
maytal-levi -
Category
Technology
-
view
139 -
download
1
Transcript of Algosec how to avoid business outages from misconfigured devices final
TOPICS COVERED TODAY
• Understanding the problem: misconfigured network devices
• Typical change control processes
• The Gap between Business and IT Security
• Data center migration
2 | Confidential
Firewall Breaches
5% Vulnerabilities
95% Misconfiguration
THE BALANCING ACT
Security
Agility
Prevent Cyber Attacks
Firewall Breaches
Data Center Automation5% Vulnerabilities
95% Misconfiguration
THE BALANCING ACT
5
Security
Agility
Prevent Cyber Attacks
Enable Business Applications
Resource Time to Provision
Server Minutes
Storage Minutes
Security Access Days/Weeks
8 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
• Allow Web Server with IP address of 100.77.28.98 to access databases on the 100.77.28.32 network for banking application
100.77.28.98
Database Servers on100.77.28.32 network
9 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
• Router Access Control List (ACL) security statements
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
name 100.77.28.98 WEBSRV
10 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
name 100.77.28.98 WEBSRV
• WEBSRV is a single host or IP address
11 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
name 100.77.28.98 WEBSRV
• DBCLIENT is a single host or IP address
• Accessing network 100.77.28.32
• 255.255.255.224 is a subnet mask
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
12 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV
• Database Service (Microsoft SQL Server) on port 1433
13 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV• Subnet Mask with 27 bits
• 255.255.255.224 => 224
http://www.subnet-calculator.com/
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
14 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV• Subnet Mask with 27 bits
• 255.255.255.224 => 224
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 eq 1433
15 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV• Subnet Mask with 27 bits
• 255.255.255.224 => 224
• 255.255.255.224 means host IP Address from 100.77.28.33 to 100.77.28.62
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.240 eq 1433
16 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV• Subnet Mask with 27 bits
• 255.255.255.224 => 224
• 255.255.255.240 means IP Addresses100.77.28.33 to 100.77.28.46
• What happened to 100.77.28.47 thru 100.77.28.62?
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.240 eq 1433
17 | Confidential
HOW CAN A DEVICE BE MISCONFIGURED?
name 100.77.28.98 WEBSRV
• One change from 255.255.255.224 to 255.255.255.240 prevented access to more than half of the devices on that network
HOW CAN A DEVICE BE MISCONFIGURED?
• With 1,000’s of entries, can you find the error in this ACL list to figure out why the web server can’t talk to the database server?
access-list dmz2_acl permit tcp 100.77.28.64 255.255.255.224 64.46.252.0 255.255.255.0 eq 1400access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.240 neq 1433access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1900 1901
HOW CAN A DEVICE BE MISCONFIGURED?
• With 1,000’s of entries, can you find the error in this ACL list to figure out why the web server can’t talk to the database server?
access-list dmz2_acl permit tcp 100.77.28.64 255.255.255.224 64.46.252.0 255.255.255.0 eq 1400access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1900 1901
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 neq 1433access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1900 1901
HOW CAN A DEVICE BE MISCONFIGURED?
• With 1,000’s of entries, can you find the error in this ACL list to figure out why the web server can’t talk to the database server?
access-list dmz2_acl permit tcp 100.77.28.64 255.255.255.224 64.46.252.0 255.255.255.0 eq 1400access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1900 1901
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 neq 1433access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1900 1901
What’s wrong? It’s not the subnet mask this time…
HOW CAN A DEVICE BE MISCONFIGURED?
• With 1,000’s of entries, can you find the error in this ACL list to figure out why the web server can’t talk to the database server?
access-list dmz2_acl permit tcp 100.77.28.64 255.255.255.224 64.46.252.0 255.255.255.0 eq 1400access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 100.77.28.96 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.4 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.5 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp host 100.77.28.9 64.46.252.0 255.255.255.0 range 1900 1901
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 neq 1433access-list dmz2_acl permit tcp 64.46.193.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.194.0 255.255.255.224 64.46.252.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1600 1601access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.64 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.96 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 100.77.28.32 255.255.255.224 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.193.0 255.255.255.0 range 1900 1901access-list dmz2_acl permit tcp 64.46.252.0 255.255.255.0 64.46.194.0 255.255.255.0 range 1900 1901
Another typo…
neq means “not equal to”
HOW CAN A DEVICE BE MISCONFIGURED?
access-list dmz2_acl permit tcp host WEBSRV 100.77.28.32 255.255.255.224 neq 1433
• The web server can not access the database on port 1433…
• What does this mean from a security perspective?
• The web server can access ANY OTHER SERVICE on that network!! FTP, ACTIVE DIRECTORY, SHARING, SSH, FINGER, etc• over 65,000+ ports are available
• ONE SIMPLE “n” OUT OF PLACE!! neq
22 | Confidential
PROCESSES ARE NEEDED FOR CHANGE CONTROL
• Many customers have processes for firewall change control
• How quickly can it happen?
• Can you verify the change?
• What is a typical process?
• Do you have good separation of duties?
23 | Confidential
SECURITY DEVICE CHANGE CONTROL PROCESS
• Understand and map your enterprise infrastructure topology before you make a change
• Proactively assess the impact of a change to ensure it does not break connectivity, affect compliance or create a security hole
• Avoid common mistakes when making changes to your network security devices and firewalls
• Monitor all changes in case there is an outage. You can easily reverse the newest implemented change if necessary
• Translate business requirements into the network and security policies that are implemented on firewalls
24 | Confidential
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
25 | Confidential
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
26 | Confidential
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
In some cases, “Recertify”… but that’s a topic for another day
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
27 | Confidential
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
• Identify what devices need to be changed
• In our example, there are three devices• CheckPoint• Juniper• AWS Server
• How did we know?
VISIBILITY INTO THE PLANNING STAGE
• We understand the topology of the network and the security policies associated with the devices in the path
28 | Confidential
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
29 | Confidential
1 2
3
4
6
5
• Always perform a risk check BEFORE you approve
• Understanding the risk during the approval phase gives you a chance to “replan” the change or deny it if it will cause undue risk to the environment
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
30 | Confidential
1 2
3
4
6
5
• During the implementation phase consider how to insert the new security rule into the device’s current policy• Add a new rule?• Modify an existing rule?• Create new objects?• Automatically document the rule change
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
31 | Confidential
1 2
3
4
6
5
• In this case we automatically calculated that we need to add the service to an existing rule• This is because 2 of the 3 items match an existing rule:
source IP & destination IP
• It documented the ticket number for compliance requirements so you don’t have to!
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
32 | Confidential
1 2
3
4
6
5
• Check the request and validate it is implemented correctly before notifying stakeholders
• Was the original request implemented:• In good working order for the entire path,
so the requester does not ask for the same information again!
• Exactly as requested?• With an overly permissive rule (ie. “any”
vs https service)
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
33 | Confidential
1 2
3
4
6
5
Need to figure out why the change was not
implemented correctly
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
34 | Confidential
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
Is there a chance that someone did not follow the process because of an emergency or “break
glass” situation?
Be careful to validate the rule changes if it’s a break glass situation
4
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
35 | Confidential
1 2
36
5
The new rule will allow the traffic through the firewall correctly….However….
4
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
36 | Confidential
1 2
36
5
The object names are different to the original request…
Now you have two objects that have the same IP addresses…Rule and Object Cleanup takes time
4
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
37 | Confidential
1 2
36
5
• Before closing:• Ensure work done matches
tickets
• Check for change request ticket mismatch
4
Plan
Approve
ImplementValidate
Close
Request
TYPICAL SECURITY DEVICE CHANGE CONTROL PROCESS
38 | Confidential
1 2
36
5
Now that we have a good process implemented, let’s
try to align business and security more effectively
GAP BETWEEN BUSINESS AND IT SECURITY
39 | Confidential 39 | Confidential
Now we’re talking!!
I hear you…
GAP BETWEEN BUSINESS AND IT SECURITY
• A simplistic summary of the Business and IT relationship:1. The business created value for customer’s and has stored this data in
databases and allowed users to access the data via applications2. IT maintains the infrastructure to support the data (databases) and
applications. 3. IT Security maintains secure access to data and applications so these assets
don’t compromise the value of the business• Without 1, 2 & 3 above, a business would not exist
• Applications provide a vehicle to create additional value for their customers
• Applications and “data” MUST be secure and maintainable• Application developers and database administrators request security
infrastructure changes as business requirements adapt to new customer and market demands
• The security change management process has to improve - just like provisioning a web or database server. • It only takes minutes now…
40 | Confidential
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• The current challenge is that Information security talk a different language than application developers and database administrators (DBA’s) who are requesting application changes
• Security architects must bridge the gap between a secure business application and operational disasters
• How many organizations can document their business applications so the security team has a prayer in understanding how their applications works?
41 | Confidential
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• The diagram to the right can bedynamically created to help document how the applicationinteracts with the network infrastructure
• Provides Security Architects with a communication vehicle to start the conversation
• Dive one level deeper and understand the security
42 | Confidential
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• Have you been asked this question: Why is this application not working?
43 | Confidential
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
44 | Confidential
The Firewall is blocking it…
• Have you been asked this question: Why is this application not working?
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
45 | Confidential
The Firewall is blocking it…
Where?
• Have you been asked this question: Why is this application not working?
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• Why is this application not working?
46 | Confidential
Rule 53, of course…
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• How to fix the issue now?
• The application team provisions the request
• Information Security “understands” the application request
A SIMPLE DIAGRAM WILL DO….PLEASE!!!
• How to fix the issue now?
• The application team provisions the request
• Information Security “understands” the application request
• All the risk check will be presented to ensure swift resolution to the problem
• The plan is created and implement as described from the ticket lifecycle previously
48 | Confidential
Problem Solved
SYNERGIES BY COMMUNICATIONS
• The ability to describe applications in a simpler terms helps create a communication vehicle for understanding
• Business owners can identify how their applications are impacted by security
• Security can help business owners understand risk• The application has a risk score of 65
49 | Confidential
SYNERGIES BY COMMUNICATIONS
• The ability to describe applications in a simpler terms helps create a communication vehicle for understanding
• Business owners can identify how their applications are impacted by security
• Security can help business owners understand risk• The application has a risk score of 65• There are 5 scanned servers and 6 servers “undefined”
50 | Confidential
SYNERGIES BY COMMUNICATIONS
• The ability to describe applications in a simpler terms helps create a communication vehicle for understanding
• Business owners can identify how their applications are impacted by security
• Security can help business owners understand risk• The application has a risk score of 65• There are 5 scanned servers and 6 servers “undefined”• Do you have a current method to understand the risk for each
component of the entire application?
51 | Confidential
SYNERGIES BY COMMUNICATIONS
• The change control process can happen with much greater speed and efficiency by allowing the application team to submit change requests in their language• Please decommission my application…
• Security: No problem
52 | Confidential
SYNERGIES BY COMMUNICATIONS
• I can’t decommission these rules, because it will break Help Desk, Email and Domino Server applications!!
53 | Confidential
….But…
DATACENTER AND/OR CLOUD MIGRATION MOTIVES
• Upgrade capacity
• Save money – server consolidation
• Mergers and acquisitions to combine resources
54 | Confidential
DATA CENTER (DC) MIGRATION
• Requirements for DC • Complete inventory of what needs to move
• Official and “unofficial” equipment• Discover the hidden assets via the security policy
• New hardware and IP address schemes• Change Firewall Rulebase for transition connectivity• Migrate IPs in DNS servers• After migration is complete, decommission original application
• Planning• What if analysis
• What applications are using these servers?• What applications are impacted by these firewalls?• What applications are vulnerable to these security issues?
55 | Confidential
AUTOMATE THE SECURITY POLICY MIGRATION
• Use a project to understand what tasks are completed
• Open up new change control tickets and have the system automatically “plan” and “implement” the changes for greater speed and efficiency
• Decommission the original applications when completed
56 | Confidential
CUSTOMER PHILOSOPHY IS CHANGING
• We currently see connectivity requests being manually planned, assessed, designed and implemented• This needs to change…..and quickly!
• How do you manage these 1,000 security change requests?
• Customers are moving to agile development & deployment
• The Internet of Things is impacting service expectations
• We are required to intelligently automate as much of the change process as possible
• The bottom line is that security needs to dramatically improve change responsiveness with zero errors at a lower cost!
57 | Confidential
SUMMARY
• Misconfigured devices can cause outages and security breaches
• Use automation and validation to help reduce human errors
• Help application developers and information security understand each other by automatically documenting applications and translating security policy rules into flows that everyone can understand
• Use “projects” to help accelerate data center migration security policies so that it will be completed on time!
58 | Confidential