Kyle Wickert, Lead Solution Architect of Product & Deployment at AlgoSec, discusses why organizations need to start adopting an application-centric approach to security management.
The traditional approach to security management starts from the point of view of infrastructure and firewalls. It focuses on placing perimeter protections around the entire network. It leads with security tools, rules and policies. This approach has served enterprise organizations well over the years. However, today, IT security teams’ are stretched beyond breaking point. They are spending their valuable time ‘keeping the lights on’ – manually maintaining existing systems, sifting through countless security alerts trying to thwart the latest cyber attack, and making device configuration changes – changes which are inadvertently causing outages and security holes.
If security is truly going to protect the business while enabling it, something needs to change. This means taking an application-centric perspective to security management.
An application-centric approach shifts the security focus from the security tools and processes themselves, to the applications they are designed to enable, and thus ensures that security serves the strategic needs of the business. It asks questions like ‘what does this application do?’, ‘who needs access to this application?’ and ‘how critical is this application for generating business revenue?’ and manages security policies from this perspective. For example, security should be able to identify and map critical applications and their respective traffic flows, and then associate them to vulnerabilities. This allows risk mitigation efforts to be prioritized based on business needs and the association of particular risks with the business’ bottom line.
As a strategy, I believe an application-centric approach to security management is the future of corporate cybersecurity management, because it integrates security with business operations and strategy, rather than treating it as an add-on or wrap-around. Nevertheless, the shift to application-centricity can seem huge, mainly because organizations are struggling to address three key concerns around the process of adopting this approach: specifically organizational maturity, resources, and executive buy-in.
Are we mature enough for an application centric approach?
It’s certainly true that a minimum level of technology and network visibility is required to move to an application-centric approach. But maturity isn’t an ‘on/off’ quality – rather, it’s a scale. While ‘immature’ businesses (from a security management perspective) use entirely (or almost entirely) manual security policy change processes, have very little in the way of network visibility, and no application visibility, the most ‘mature’ businesses, by contrast, incorporate an application approach to security policy management that includes application connectivity mapping, highly automated change processes, and live network and application visibility across on premise, SDN and cloud environments. Most businesses are somewhere in between.
Preparing to move towards an application-centric approach is usually as simple as moving a little bit further up the scale, which means gradually mapping application connectivity and building a more comprehensive picture of network visibility. Most businesses are already collecting the information required, perhaps by capturing firewall changes as they are made, for example. Moving further up the maturity scale is about creating unified, centralized ways of collecting and tracking this information.
How much resource will it require?
Too often, IT teams still believe that the effort required to generate these levels of visibility is simply too great, in spite of the tremendous benefits to be gained. However, as outlined above, most companies do already have some level of documentation in place for their application connectivity. It is often located in multiple disparate places and stored in multiple formats, and it’s nearly always out-of-date – yet collating what already exists is a far easier task than creating it from scratch. Particularly because there are plenty of automation tools available to do to the collating for you. A solution that intelligently discovers and maps applications and their connectivity flows automatically provides IT teams with enhanced visibility of their applications and security policies – without prior knowledge or expertise.
How can business leaders be engaged in the project?
The final challenge is securing leadership buy-in – and here, many IT teams believe that business managers simply won’t be interested. But the key is in how to frame the issue to them.
IP addresses and networking parameters aren’t terms that many business leaders are interested in, or even understand. Instead, discussions around application-centric security should focus on how it gives business leaders a ‘real life’ view of security risks and regulations, and how they relate to actual business functions. They should focus, too, on how business leaders will consequently be able to instantly understand which applications are working, which require connectivity changes to function properly and, most importantly, which are introducing risk to the network or are at risk from cyber-attacks.
This speaks to three key board priorities. First, it gives the board a clear, easily understandable picture of IT security, free of jargon and clearly mapped onto business processes. Second, it links directly to their key concerns of cyber risk, and third, ties directly to business productivity and agility. In turn, IT security gains a more prominent (and deserved!) voice at board level.
By framing it in this way, it becomes apparent that an application-centric approach to security policy management will help drive the business rather than hinder it. The endgame of taking an application-centric approach to security management is a more secure, more agile business, with a real security policy management ROI.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.