By Alan Zeichick, NetworkWorld, May 26, 2015
"Network security doesn't have to be expensive, and it doesn't have to be complicated. Yes, there are lots of excellent products, service and consultants ready to help improve your network security, and yet that shouldn't be the first place an organization goes to prepare against hackers, insider threats, data loss and malware. Fancy new technologies won't help if you're not focusing on the roots of good cybersecurity. Let's talk about some of the most important questions that people rarely ask about cybersecurity, perhaps because they seem so simplistic.
We all know that it doesn't matter how good a home security system is if someone leaves the garage door open overnight - and a pricey car alarm doesn't help if the keys and clicker are left in the ignition, and the car window's open.
Here are four questions that reflect a foundation of security management. Your answers may help set the foundation of a solid security posture.
1. Are the network's security policies up to date?
Creating a comprehensive security policy can be a nightmare. Endless meetings with stakeholders. Wheeling and dealing between IT and line-of-business management. Striking and re-striking the fine line between approving a policy that's overly broad, and specifying so many minute details that the policy becomes too hard to implement. Not only that, but there are pressures to make policies as broad as possible to provide the least inconvenience to employees (and their managers who don't have patience for such matters).
Like someone who buys a snazzy new smartphone only to see its twice-as-cool replacement announced the next day, once security policies are finished, those policies are almost immediately out of date.
Applications become decommissioned - and yet the application's access ports remain active. New use cases are brought before the IT department. New on-premise applications go online, while some line-of-business departments write shadow contracts with cloud services providers. Are those covered by the security policy? Painful though it may be, security policies must be kept up to date, not only through regular reviews, but also by a process of actively amending the policy before security configurations are changed.
2. Are security configuration changes driven by security policy?
Continuing in that vein, there are myriad areas where security-related configuration changes are applied on a network. Firewalls and Intrusion Detection / Prevention Systems (IDPS) like those from Cisco or Wedge Networks are one area; change management systems like those from AlgoSec or Firemon are another.
There's more to network security, though, than firewalls. Organizations need to configure policies on servers like Oracle or Microsoft Exchange; identity systems including Firebase or Okta; network routers and Wi-Fi access points; Virtual Private Network (VPN) servers, cloud-based applications like HubSpot or Salesforce.com; and of course, on-premise file and application servers.
Beyond routine moves, adds and changes to accommodate new employees or projects, changes to security settings in any of those areas should be policy-driven. When an application comes online, goes offline, or moves to another security zone on the network, the first step should be to document it within the security policy, while checking for conflicts or contradiction. Then, and only then, once changes to the policy are understood and approved, should administrators be allowed to make changes to firewalls, access control lists, Virtual LAN (VLAN) configurations, and so-on."
For the full article, please visit NetworkWorld.com.