Firewalls Need to Be Managed in Context of an Overall ROI Framework - Page 2

Steve Gold

Taking it Further

Once you have established a security ROI framework -- and if you have completed the process effectively -- you will, hopefully, begin to see the scale of the potential problem: If your organization's IT security defenses are not up to scratch, you could go out of business.

But let's not be too pessimistic. Good management is all about managing change and adversity and, according to Ariel Avitan, an analyst with Frost & Sullivan, the main issues with firewall technology are that most firewall vendors only manage their own products.

"This means that you need a good overlay and firewall-management system that handles multiple firewalls, as well as interfaces with third-party applications," Avitan said.

"Following this route will free you from the stranglehold, if that is the right word, that firewall vendors frequently exert on their clients. This isn't deliberate, of course, it's just a development of the technical complexities that firewalls now engender," he added.

According to Avitan, businesses also should be mindful of the compliance needs of their organization, especially with regard to the PCI-DSS rules that now affect the majority of online businesses and that are being phased in on all businesses that accept payments by card.

The problem, says Avitan, is that it is always difficult to keep a handle on the regulatory issues and compliance requirements, no matter what industry you are in.

This, he explained, is what makes firewall ROIs something of a no-brainer in large enterprises. The cost of not implementing a multiple firewall strategy, with allied overlays and controls, he says, is just too great for most major companies to ignore.

"One advantage of going down the firewall ROI process," he said, "is that you can usually also clean up your management-control processes, as firewall ROI analysis helps to focus the corporate mind on such matters."

This is where security lifecycle management technology enters the management frame, as this technology is designed to address the continuous configuration requirements for firewalls and related security infrastructure.

Security is, Avitan says, something of a moving target, as to keep up with business, configuration changes must be made regularly.

And to minimize risk and control costs, it is necessary to manage change over time.

In this context, he says, it is highly desirable to automate the process of implementing a change request to a firewall, since the process is usually a combination of many tasks that are in most cases manual, unclear and time consuming.

Swisscom IT Services is one of Switzerland's leading IT service providers. In 2007, it came to the realization that it was not in full control of its firewall operations when an external annual audit resulted in several high-risk findings. Much of the ongoing security planning, design, maintenance and supervision work at Swisscom relied on manual documentation. This was an inaccurate and inefficient process that ultimately led to a high-risk situation with the potential for security breaches that Swisscom could not tolerate. This prompted an immediate search for a solution that would address the following:

  • Reduce time required to plan and implement policy changes.
  • Allow administrators to pinpoint the exact change that caused a network incident.
  • Guarantee the correct implementation of all rule-base changes throughout Swisscom's 150 firewalls.

The Solution

After a rigorous competitive analysis, Tufin SecureTrack was deemed the best solution for Swisscom as it ensured the success of all future annual audits and fully met its need for comprehensive policy analysis and change tracking. In use, SecureTrack offered the administrators the ability to detect, monitor, audit and assess any configuration change to the firewall policy and indeed drill down on a large number of firewalls from all of the leading vendors and perform a deep inspection on the rule base.

This ability, says Avitan, is a key advantage for any IT department that wants to understand and control its firewall environment.

For Swisscom, Tufin's SecureTrack provided complete visibility into all rule bases throughout Swisscom's firewall operations. Gone were the days of manually reviewing firewall logs. With SecureTrack's complete display of each rule and object, the design team was able to easily check whether a proposed rule already existed or whether some of its requirements were already covered by other rules. This eliminated rule overlap and resulted in overall improvement of firewall performance.  By implementing the product, the time required to plan and implement changes was reduced by half, and flawless configuration of new rules and rule changes was ensured. This saved countless man hours, as well as shortening the response times considerably.

'We now have an unprecedented amount of visibility and control over firewall operations that I just can't imagine life without, " says Michel M´┐Żller, senior network security engineer. "We already had tight processes in place, but the automation SecureTrack introduced provided us with an overall snapshot of the state of our firewalls that enables us to operate in a much more agile, proactive and strategic manner.  We accomplish more in less time, with full confidence that we are operating in a secure, compliant fashion and can achieve a ROI.' 

Frost & Sullivan's Avitan adds, "By automating the organizational change-management process, a good firewall-management solution can form the centerpiece of an effective firewall ROI analysis such as it has provided for a company such as Swisscom."

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.