Agility is one of the core objectives of most digital transformation projects underway in enterprises. Agility speeds up time-to-market. It also makes the enterprise more responsive to the changing business environment. But security considerations often come in the way of agility. Many enterprises, cutting across size and scale, struggle to make the trade-off between security & agility.
Old-school security approaches such as checklists and reviews are out of place in the agile ecosystem. Here are the ways to reconcile agile with security considerations.
1. Adopt a unified and integrated approach to security
The best approach to reconcile agility with security is to embed security into the software or process. Using security to block much-needed business changes is self-defeating. But so is using agile to bypass essential controls.
Most businesses lack a unified security policy to tackle the vulnerabilities in a complex network. Some security installations, such as firewalls, increase the complexity.
Agility is akin to pressing the accelerator or shifting gears. In such a scenario, security resembles the breaks. Security becomes obstructive when it becomes an external layer, such as a speed hump. Integrating security protocols into the system makes it operate in sync, just like accelerators and brakes work in unison.
Integrating security into agile processes and workflows requires:
- Heralding a cultural change to make security everybody’s business. Make system analysis, developers, and testers responsible for security.
- Backing up the cultural shift by providing training and spreading awareness on security.
- Integrating security requirements in system design and the development process. Build, implement, and validate security controls in each phase of the development lifecycle.
- Determine the impact of security controls on users upfront rather than reacting to the impact.
- Ending the silo or isolation of the development team and security team. Successful businesses develop cross-functional teams with members from different departments or functional areas.
- Deploying powerful tools such as Tufin that ensure compliance and audit readiness, at all times.
According to the EY 2020 Global Information Security Study, only 36% of enterprises involve the cybersecurity team when planning a new business initiative. About 77% of cybersecurity spending is reactionary or defensive. The overriding approach to security is mitigating risk and ensuring compliance. There is no serious approach to seeking synergy between security and business needs.
2. Enable ticket-based system
In an agile system, enterprise users change processes or configurations often. A resilient network empowers users with self-service options. But often, there is no workaround to approaching enterprise IT to make changes.
The best agile networks enable a ticketing system to process such changes. Routing the process through an end-to-end ticketing tool:
- Makes it easier to apply automation protocols. Network admins no longer have to identify the right tool. The automated system uses the correct tool and fulfils the user request fast. The admin only exercises supervisory oversight.
- Improves traceability. The network admin may assign specific tasks to specific users. They may fix timelines and port deadlines to gather the information needed to perform the change.
3. Improve network visibility
Security is often the main reason business-driven changes take a long time. Most applications today have dependencies and inter-linkages. Making changes involves tweaking multiple policy enforcement points and reconfiguring firewall rules. Ignoring the spillover effect of such changes could introduce vulnerabilities or risk an outage.
Manual discovery of interdependencies is a time-consuming and error-prone task. The solution is to automate application-driven visibility. A good network visibility tool:
- Offers complete insights and control over on-premises, cloud-native and hybrid cloud environments. A dashboard view of application workflow reduces human error.
- Visualises application workflows, including connections and devices. Network admins and other enterprise users may easily understand everything the application communicates.
- Tracks sensitive data, such as where it resides or where it traverses. Such information is the basic prerequisite before applying data security controls.
- Identify the rule sets that control access to the application and how the proposed changes will affect the application.
- Track potential traffic or connectivity issues.
- Evaluate the current compliance status with policies across the enterprise firewalls and routers.
A good tool such as Tufin pinpoints the devices and associated rules that need change. Admins get visibility into the security controls across the diverse on-premises, hybrid, and multi-cloud landscape. They may manage security policies centrally, and easily orchestrate cloud migration or enforce security protocols in DevOps pipelines.
4. Automate security policies for change requests
Network engineers struggle to keep up with the pace of new technology adoption. Most IT security employees struggle to manage critical business applications. A big reason is the increasing volumes of critical business applications. In a recent AlgoSec survey, about 45% of respondents had to manage 11 or more change requests every week. Processing each change request usually involved a full day’s work.
Also, network admins often do not have access to all the information needed to make changes. Searching for the resources makes the change time-consuming and error-prone. Consider the common user request to access multiple network locations. To grant such access, the admin has to change firewalls, switches, routers, user groups, and security groups. Manual changes cause errors and inaccuracies and may compromise security big time.
Automating security policy enforcement overcomes such issues. This entails
- Integrating network topology information into change design.
- Establishing a central store of rules and policies and policy enforcement engine.
- Running policy enforcement scripts, integrated to the workflows.
- Placing target selection, risk analysis, and policy configuration on auto-pilot.
Automation enables making informed, accurate decisions. Automating security policies reduces risk, improves accuracy, and speeds up change. It also empowers the work-team and promotes job autonomy. Complete visibility coupled with automation reduces the time needed to change from days to hours. It delivers 50% to 75% time and effort savings.
Success stories abound. Applying automation helped Slovak Telecom reduce the average time to implement change from one week to a single day. RWE, the German energy giant, reduced the change implementation time from six to eight days to just six hours.
There are several tools that enable automated policy enforcements. Tufin’s integrated security policy automation technology works on a zero trust approach, and automates end-to-end security across hybrid enterprise infrastructure.
Most enterprises underestimate the value of automation. Automating critical business application management saves time and enhances security. Managing change through automation reduces the impact of security management. It makes security an enabler rather than a restrictive force.