In my previous post on the security policy management maturity model, we examined what an Emerging organization (level 2) looks like. Steps to automate security policy analysis and audits were implemented, but the security policy was only optimized, compliant, etc. at a point-in-time, because changes continue to introduce risk and policy bloat.
In my previous post on the security policy management maturity model, we examined level 1, or the Initial level, which means you're either not managing security policies at all or are at an extremely basic level that is fully manual. If you took some of the tips to heart regarding policy analysis automation, then you may now be at Level 2, or what we refer to as an Emerging organization.
In my first post on the Security Policy Management Maturity Model, I highlighted the challenges of network and security complexity and dynamic business requirements that must be addressed by IT in order for the business to remain competitive. In the forthcoming blogs, I’ll dig into each level of the maturity model and not only examine what each level means in terms of your organization’s environment, but also provide some tips for moving up the ladder and the benefits for doing so.
Does the following scenario sound familiar? Your network complexity is getting out of hand with too many firewalls, routers, switches, secure web gateways and more, as well as the related security policies. New network security devices with more granular and different types of controls have recently been or are being deployed in the network. At the same time the business is putting more demands on you to manage "ASAP" with requirements changing regularly. You don't have proper visibility of the security policies, compliance audits are a major burden, you can't keep up with all of the changes and you can't possibly know the impact of a security change or risk to a application that is critical to the business.
If you have been following AlgoSec and our blog, you probably have noticed an evolution in our strategy. From our work with some of the world’s most forward-thinking companies (with extremely complex networks and processes), we have recognized that security infrastructure is not just about security. Firewalls, routers and web proxies exist first and foremost to enable the business, and the critical applications that power it, to function properly. Recognizing and understanding the challenge of managing security policies in data centers and corporate networks, we have evolved our strategic vision to focus on enabling organizations to manage security at the speed of business. What does this mean?