Industry Trends

Avoiding Security Policy Accumulation

By Stefanie Hoffman | October 31, 2013

These days, IT complexity is a way of life - and something that most have come to accept as normal.

Let's face it, it's well established that the typical enterprise user utilizes a multitude of devices at any given time throughout the work day. These devices are continuously exchanging information from numerous locations while using application data across hybrid cloud infrastructures. As a result, organizations are in the process of perfecting a precarious balancing act that both provides seamless unified access while simultaneously dodging the headaches associated with duplicated and contradictory security policies.

information overload

And that's no small challenge. So much so that Fortinet researchers maintain that the exponential rise of security rules and policies accumulated by organizations is also preventing them from effectively responding to a maelstrom of new and sophisticated new threats on the security landscape.

Here's why: organizations add security rules on a regular basis, but seldom remove them, creating a myriad of disparate and often contradictory security policies later on. Subsequently, security administrators face more difficulties in understanding the security rules that they are implementing, opening up unintended holes down the road and leaving organizations vulnerable to attack.

With that in mind, here are a few tips gleaned from Fortinet researchers in the white paper "Making Smart Policies with FortiOS 5," aimed at easing complexity and minimizing cumbersome security policy "accumulation"

Enforce Application Awareness:

The process of simplifying security policies is often thwarted by application aware security. As such, organizations need the ability to attach individual IDs to users that remain with them throughout their tenure at the company, and can be enforced throughout all network security functions.

Implement Single Sign-On:

Running a multitude of authentication mechanisms will also place undue burden on a security environment. One way to alleviate that added complexity is to apply a Single Sign-On (SSO) function that will also retain valuable information about the user and the device.

Unify Wired and Wireless Visibility and Control: Not surprisingly, the amalgam of wired and wireless network access contributes to runaway policy accumulation. Where both co-exist, organizations should create user-centric policies when integrating both platforms, which in turn will ease governance and simplify monitoring and compliance in both environments.

Streamline Network Security:

Inevitably, a plethora of disparate security systems will compound network complexity while creating untold headaches for IT administrators. Instead, organizations should focus on deploying suites of complementary systems sourced to the same vendor. The result will be more responsive management due to fewer policies, higher performance and generally more robust security. It will also help enable the integration of network access policies to all other security policies.

Focus Smart Policies By Users and Devices:

IT environments these days consist of various combinations of iOS, MacOS, Windows, Android, RIM, Unix, Linux and Ubuntu platforms - all of which require differentiation and represent an enormous drain on management time and resources. But among other things, applying a SSO approach to policy enforcement at a unified ingress point onto the wired/wireless network helps streamline the wide array of policies, defining them according to user ID, device type and location.

Join the Discussion