Bringing networking and security together through network automation
The past ten years have seen a proliferation of increasingly complex network devices. Coupled with the recent rise in adoption of BYOD policies, mobile working practices, virtualisation and cloud services, the challenges faced by the modern network – from provisioning and configuring, to handling the mounting numbers of day-to-day requests – are greater than ever before.
For example, years ago, a new service request required a hole to be punched in a single firewall. But, today’s multi-layer approach means that ACLs and rule changes not only affect firewalls, but also integrated routers and switches. When multiple vendors are thrown into the mix, the challenges rapidly start to skyrocket.
The complexity of today’s networks is a challenge, but it is also leading to a new dynamic in IT organisations: a blurring of the boundaries.
Blurring the boundaries
The roles of those responsible for protecting an organisation’s IT network infrastructure have, historically, been clearly defined, with security teams managing the firewalls and network teams managing the routers and switches. But as networks are becoming bigger, broader, and more complex, security teams and networking teams are collaborating, passing tasks from one team to the other.
Collaboration is a good thing. But, the downside is that security teams or networking teams individually are not likely to have the specified knowledge or experience necessary to carry out these “blended” tasks. Involving networking teams in changing rules and ACLs, for example, can take a considerable amount of time and involve a significant risk of error. This risk is further increased when you consider that the networking team is highly unlikely to be familiar with the various subtleties and nuances in syntax used by different vendors.
Security teams, on the other hand, often set internal policies governing best practices that will impact the network team. Challenges and frustration can grow if the network team does not have the expertise or time to implement the actions required of it, and the security team might not be given the auditing information it needs to verify that these actions have been carried out correctly. In addition, due to a potential lack of knowledge, the networking team might be unable to deliver the proof points needed by the security team.
Frustration and challenges
So not only can this situation cause companies costly delays and put networks at risk, it has introduced new tensions for the teams concerned, changing their internal relationships.
We met a security practitioner at an industry tradeshow recently, who told us that he is responsible for his company’s firewalls and ACL rule changes, but that most requests these days require changes to both the firewalls AND the integrated routers. While he can make the changes to the firewalls, he can’t touch the routers, as that’s the job of the network team, and he can only give them the requirements in the hope that they are implemented correctly. And, should something break, the company has different teams with different skills trying to figure out what went wrong.
It might be time then to consider the actions that IT team leaders ought to take in order to help restore the balance between the two teams. Ideally, of course, each team would have all the necessary training and expertise it needed to enable it to work across multiple vendors – to understand their individual syntaxes, and the nuances between network and security devices.
However, this isn’t likely for most organisations.
We would suggest therefore that companies should consider automated network control as a means of reducing the risks, saving time and alleviating the inter-departmental stresses brought about by this situation.
Automating the network
At its most basic, successful network security control depends on knowing what is connected and how it is configured.
In organisations where a high volume of firewall changes are required, automation means that security staff are able to analyse these changes wherever they’re required. They are then able to automatically test and provision these changes, across the network, saving considerable time on previous processes of applying rules individually across separate devices. And, where multiple vendors are involved, there is a significant reduction in the need for specialist knowledge of each vendor’s unique syntax, which will give both the networking and security teams a far better understanding of what is required.
Network teams will have the ability to make firewall policy changes quickly in one place, and distribute these changes to multi-vendor devices, which not only reduces the time and effort required, but also eliminates the need to make changes to individual devices.
By reducing the level of specific knowledge required by the networking teams, while still maintaining their understanding of the task in hand, automation will enable both teams to make cohesive decisions and recommendations, and take crucial and timely actions together, within an organisation’s policies.
Freeing up time, sharing expertise
As we can see, employing automation means that the number of manual tasks will immediately be reduced, freeing up time which can be better used by both teams to work more collaboratively on tackling growing security challenges.
Most importantly, automation doesn’t make changes without review or approval – it leverages computing power and analysis to handle repetitive processes such as finding overlapping/unused rules or provisioning changes faster with less risk of human error.
In short, empowering both security and networking teams with automation will lead to a reduction in manual processes and will leverage embedded expertise and provisioning to ensure that a business’s systems remain compliant. Automating its IT network infrastructure will improve the change and provisioning process to help shorten the time needed to deploy new services.
As the traditional boundaries between security and networking teams begin to blur, we see the need for a cultural shift where silos are demolished and the teams’ respective expertise is brought together for smooth delivery of processes and decisive actions. Instead of conflict between the two teams, we see network automation technology as being the enabler of this shift, helping networking and security teams to work together towards one united common goal – that of securing and strengthening the enterprise’s most valuable asset – the network and access to key applications.