Security process automation: Create order from chaos
As a boy I loved Lego. I’d use the red and green and white bricks that in those days came in just a few shapes, to construct houses, ships, cars and stairways that lead nowhere. It was all about fun and imagination.
Recently I was at the Check Point Experience in London, spending my days talking to firewall administrators. As CTO of a company that helps security administrators automate change management for firewalls and other network infrastructure (among other things), I learned early on that there is no such thing as a standard process for managing changes to security policies. But it wasn’t until the first day of the conference that I made the connection between Lego and standardizing change management.
It seems like no two organizations have the same process. There actually seem to be more differences than similarities. For example, one process may require that requests are approved by the line manager while at another organization the request must first pass a technical design phase before being approved. Over the last few years I’ve seen literally hundreds of variations of workflows for changing firewall policies.
It would be so easy if we could simply say, “here’s how you should be working” and provide the ideal workflow for you, but unfortunately, things just don’t work that way. Each and every organization has developed custom processes that match their needs, organizational structures and policies. Beyond technical constraints, there are also social and political factors that have shaped these processes and they cannot be modified easily, if at all.
And then there’s the “C” word-¦Compliance. Compliance has added a whole new dimension to security. It’s our connection to the hearts and minds of executive management. But internal policies, regulatory requirements and other mandates are moving targets, ones that are further complicated by country, vertical industry, the size of the company, and the nature of the business.
Another factor that complicates standardization is the rate at which different companies integrate new technologies into their organizations. And the list goes on – mergers and acquisitions, changes in leadership, economic issues, and people. Don’t forget, technology is still developed and managed by people – who are predictably unpredictable. How do you even begin to create standards from all this chaos? Enter Lego.
How would you describe Lego? Modular. Extensible. Solid. Flexible. These words sound familiar, don’t they? That’s why instead of a single rigid process, our approach was to construct small building blocks that can be compiled, managed and personalized within a larger set of organizational processes.
As a side note, for the Unix enthusiasts out there, we know that Unix is based on a very similar concept (executables and pipes…). Modularity is a recipe for success, especially were the environment is variant and unpredictable. That said, creating a model that can accommodate almost any security change process was no easy task. The building process needed to be technically feasible and easy for users to adopt. It had to take security and risk management into account at each juncture. It came in a very Lego-like manner, one piece at a time.
Here are some of the design principles we used and the considerations behind them:
Construct a customized workflow from steps: The first thing we noticed was how the workflows differ between organizations. We saw that workflows consist of ordered steps but that the nature and order of the steps differs from one organization to another. The answer to this is simple: provide a Workflow Step element that can be assembled to construct custom workflows.
Assign users and roles to each step: We also realized that there is need for flexibility about the participants in each step, and that this is very role-oriented. We allowed users to attach participants to each step and specify their roles like, for example, Security Manager, Security Administrator, Line-of-Business etc.
Design forms for data input: Anyone who has designed business processes knows that they are built around forms and data. The forms are used for inputting and reviewing information that is needed for the process. Well, here again, it turns out there are no two identical forms. One has a subject field on top followed by a business justification while another starts with a serial number and then the requested application flow. So we decided to provide a powerful but easy-to-use design tool that can be used to build virtually any form in a WYSIWYG manner.
Allow for refinement: Now design your processes – as they currently exist or as you would like them to take place. Build as many workflows as you need. Each workflow can consist of any number of steps, each step with custom participants from your user list. Understand that when you are building a process out of nothing, some fine tuning will be necessary.
Now I’m back from the exhibition and conference, I’m back to playing with real Lego with my daughters – who enjoy their building blocks every bit as much as I did – but now I’m building princesses and castles, rather than the cars and ships of my boyhood. Just as Lego can be flexible enough to meet the disparate building needs of little boys and girls everywhere, a “building block” approach to IT security can break complex problems down into manageable chunks, that, when linked together, create a set of customized processes that meet the needs of the business.