As enterprises turn to network segmentation to limit exposure, a new crop of security and operation problems are adding into the IT risk equation.
Segmenting the network has piled on more internal network firewalls than ever; with the constant flux in application and network configuration, it’s not unheard of for enterprises to manage hundreds of thousands to even millions of firewall rules settings on a daily basis.
“No human can look at that and know what the firewall is doing. Nobody can get a good feel for what traffic it’s actually controlling,” said Jody Brazil, president and CTO of Firemon, a firewall management firm. “All of a sudden, you started with a technology to limit risk, but you no longer know what risk that it’s controlling.”
Consequently, the act of segmentation that some enterprises have turned to for hardened security is actually introducing misconfiguration risks — and even raising the potential for breaking revenue-generating applications critical to the business.
The issue ended up highlighted at the RSA Conference 2013 in San Francisco, when firewall management vendor Tufin Technologies released the results of a survey showing how those shortcuts in manual firewall management processes are taking their toll on IT operations.
In an odd twist, Tufin’s survey of 200 administrators reported 62 percent said their firewall-rule change management processes put them at risk of a breach. According to firewall management experts, today’s highly segmented networks, the addition of next-generation firewalls, and the necessary coupling of firewalls with specific application-centric network zones have pushed these tools well beyond their initial perimeter defense objectives.
This deficiency has particularly wreaked havoc in the highly dynamic applications world. According to Tufin’s survey, 33 percent of organizations make 100 or more application-related firewall changes a month. Approximately 55 percent of all organizations said their application connectivity management processes might create unnecessary IT risk. And 47 percent said application-related rule changes did or may have resulted in a breach. This tracks with a statement from Gartner last fall that through 2018, more than 95 percent of firewall breaches will be the result of firewall misconfigurations.
But not only are these firewall management woes increasing the chances of data breaches and exposures, they’re also slowing down operations in the application delivery life cycle.
According to the Tufin survey, 42 percent of respondents track application connectivity changes through the comments section of the firewall rule base, and approximately one in six organizations don’t even track these changes at all. This is causing downtime and disruption in many critical applications throughout the enterprise. Seventy percent of survey respondents experience application service disruptions up to 20 times per year due to firewall configuration changes.