Change management leads to security breaches
75% of organizations believe their current change management processes could put them at risk of a security breach, according to Tufin. Having sampled 100 network security professionals directly involved in firewall management and auditing, this year’s survey reveals that manual processes – and the time constraints they create – are the biggest challenge facing today’s network security professionals.
Despite confirmation that regulatory and corporate compliance requirements such as SOX, PCI DSS and ISO 27001 are driving security operations, only 7% of the sample automates the firewall audit process. As a result, 40% of organizations spend up to a month or more a year on firewall audits.
With 85% of respondents reporting that up to 50% of firewall rule changes require modification because they were not designed correctly, it comes as no surprise that 67% believe their change management processes put them at risk of a breach.
Perhaps the greatest indicator that the problem is reaching critical mass is that 22% of the sample knew of someone that cheated on an audit, citing lack of time as the main reason. Also disturbing is how many organizations don’t audit their firewalls at all – almost a quarter of the sample (23%) has never conducted a firewall audit.
The survey also unearthed interesting trends across all three components of Security Lifecycle Management: Firewall Operations, Risk Management and Compliance, and Security Change Automation. Highlights include:
Firewall Operations/Risk Management/Compliance
- In addition to those network security managers that don’t perform firewall audits, 11% have no idea how much time it takes to conduct one.
- 84% of the sample either has no way of knowing when a firewall rule needs to be recertified or decommissioned (41%), or manages the process manually (43%.)
- Almost half the sample – 47% – locates redundant or overlapping rules manually; almost 20% have no way of locating them at all.
- While the number one reason for cheating on audits was lack of time, it was followed with two other reasons: that the parameters of the audit were irrelevant to the business (30%), and concerns that the network security the team would look bad (also 30%.)
Security Change Automation
- 28% reported that it takes them on average, several hours to several days to design a firewall rule change.
- Despite the time spent crafting rule changes, 85% reported that up to 50% of firewall rule changes require modification later on because they were not designed correctly.
- 66% of the sample felt their change management processes do or could place the organization at risk of a breach. The main reasons cited were lack of formal processes (56%), followed by manual processes with too many steps or people in the process (29%).