Darren Turnbull, VP Strategic Solutions at Fortinet looks at how Smart Policies based on user ID or location are the answer to simplifying IT security in an increasingly complicated world
IT security touches every part of our daily lives. All of the data held on computers, mobile devices, local and wide area networks that is being shared on a second-by-second basis; then there’s the billions of secure global financial transactions happening at the same rate, that for most of us, never crosses our minds. In this light, complete protection of this all-encompassing network and the information and transactions transferred across it is essential to a well-oiled, fully functioning financial industry.
In a financial world that demands a secure business-computing environment but insists on ubiquitous connectivity, piecemeal solutions proliferate. However, solving today’s problem in this way will create tomorrow’s nightmare. In today’s world we have created a population of users that expect to gain access across a range of devices and network connections instantly 24/7, 365 days per year. The global financial industry is in a situation where technology shifts, regulatory pressures and changes in user behaviour consistently move the security boundaries. And then there’s remote working, which blurs the line between the workplace and home life with access any time from anywhere being expected. Access to everything, by everyone, from everywhere – securely?
Of course this evolution hasn’t occurred via a series of carefully planned steps, the speed and variety of change has taken many IT managers by surprise. Reacting to these events has created a multitude of solutions to address the emerging, or expected problems. It seems as though every new vulnerability creates an opportunity for a new solution; and every new solution creates an opportunity for a new vulnerability. The result can be chaotic with mis-matched, overlapping technologies, and a raft of hastily assembled rules and policies. All of this created in the hope that each will work together in defence of the network and support the financial organisation expected to fund this effort. It is the very antithesis of ‘holistic’.
Having created such an environment it becomes very difficult to let go. You hope you have tamed the tiger, but there’s a chance it will still bight someone. In other words, you hope you have a solution, and you hope it is secure.
Unfortunately, today’s reality sees network management increasingly struggling to accomplish a truly secure unified access. The escalating number and complexity of security technologies, rules and policies accumulated over time, means financial organisations may struggle to stay abreast of the constantly changing threat landscape. A piecemeal approach is not the way forward because it does not remove previously created policies, risking a complexity that will spiral out of control. It also adds complexity to understanding the increasingly challenging threat landscape, risking at worst irreparable security holes.
So, the answer to complexity is not more complexity; the answer is simplification. But where does any business start in untangling the mess and implementing a logical, manageable, sensible and secure solution to policy accumulation?
Managing a large estate of specialised security devices from many different manufacturers is a sure fire way of multiplying the number of active security policies. In contrast, by deploying a suite of complementary systems from the same vendor reduces operating costs by enabling easier and more responsive management with less policies, higher performance and better overall security. It also enables network access policies to be integrated with all other security policies. A single operating system across devices will obviously be a major benefit to simplifying the management process.
The process of simplifying security policies is challenged by the introduction of application-aware security; a key tenet of next generation firewall technology. So it is important to apply an application-awareness policy to individual user-IDs in one place, and to enforce it throughout the network and across network security functions.
The granularity that arises from running distinct security policies according to each different authentication environment may seem a bonus, however, it can be burdensome to security management. But granularity need not be sacrificed and security management can be simplified by the use of obvious tactics such as Single Sign On (SSO), which conveniently retains context about the user’s location or device.
With this approach to policy enforcement at a unified entry point onto the wired/wireless network, all policies can be determined according to user ID, device type and location.
Runaway policy accumulation will invariably occur where artificial or technology dictated solutions to wired and wireless network access become entirely separated for management purposes. Where both coexist, wireless is typically the more dynamic environment, with similar levels of traffic as wired infrastructure. For easier oversight and simplified monitoring and compliance, a unified wired and wireless policy will ensure simplicity, while still offering both visibility and control. This can be achieved using security appliances such as Fortinet’s FortiGate range, which offers switching and access point management functionality and integrated advanced firewall protection, VPN connectivity, endpoint and application control, web filtering, antimalware and data loss prevention.
Ultimately, we need to make smart, simple policies and reduce the decision making process – highly important in financial institutions where security is not only of utmost importance, it is expected by end users. Of course you still have a policy set to be concerned about – but it is much easier to handle. Don’t press on with a flawed strategy and an increasingly disparate security infrastructure loosely controlled by myriad of policies – many of which may contradict each other. Untangle the solution and simplify it. Don’t let your policy accumulation and complexity creep become a part of the problem. Tame your tiger!
Fortinet has a white paper resource for security administrators to easily and seamlessly implement ID-based ‘smart policies’ across their wired and wireless network infrastructures. Entitled “Making Smart Policies with FortiOS 5”, the white paper shows how organisations can unify access and security policies, apply an integrated, ID based authentication and authorisation model, and benefit from simplified visibility of detailed real-time data.
“If you can’t explain it simply. You don’t understand it well enough”