Firewall Vendors Look to Automate Policy Changes

By helping to manage employee access rights and policies, new products seek to help shoulder a staggering burden on IT in large global enterprises.

 By Richard Adhikari
Page 1 of 2
Print Article

For IT staff in global enterprises, adding a new employee is far more involved than finding a desk and a chair for the new hire.

Typically, it means huddling over spreadsheets, muttering to themselves as they figure out what changes to make to access rights and policies while taking into account a labyrinthine array of legal, departmental and compliance rules.

Multiply that scene by thousands of users, spread over different countries, and you have the massive, frequently chaotic process that takes place practically every week in major companies.

In response, firewall vendors are looking to help IT fight back using policy management automation solutions, designed to simplify the task of managing policies -- and minimizing the risk of human error.

AlgoSec this week unveiled FireFlow, which automates policy change management and integrates with existing processes -- such as the e-mail and Web-based forms typically used by department heads to request adding or removing a user's access.

News of AlgoSec's new release, which is due to ship next quarter, comes a few weeks after rival Tufin Technologies announced version 4.2 of its flagship SecureTrack product. Tufin also announced SecureChange Workflow, an offering targeted specifically at security policies.

A routine process fraught with challenges

Each solution takes aim at the mundane but necessary task of managing user accounts -- a chore growing more time-consuming and prone to problems thanks to global offices, mounting regulatory policies and increasingly outdated processes.

Typically, enterprise groups use e-mail and Web- or paper-based forms, to request changes, which are then recorded and carried out by corporate IT.

"The process was basically manual -- you send an e-mail saying 'Please add this user to whatever' and it was a slow, disjointed process," AlgoSec's vice president of marketing, Aimee Rhodes, told InternetNews.com.

Burton Group senior analyst Pete Lindstrom agreed. "It's common to put in e-mail requests or log changes in an Access database or a spreadsheet," he told InternetNews.com.

But a manual process becomes a major chore when large companies' IT staffs have to weigh thousands of policy rules governing which employees can access certain resources.

"It's not uncommon for folks to have 40,000 to 50,000 rules across hundreds of firewalls in today's large environments, and having a dedicated application to manage them is gold," Lindstrom said.

When coupled with a sprawling, international staff, this process of tracking user rights and privileges often proves even more taxing.

"We have lots of customers in the financial sector that are globally based, and they're making two to three changes to policies a week," Rhodes said.

In addition to having to manage the sheer volume of requests, the problem is often exacerbated by regulatory and other legal concerns facing large companies.

For instance, global enterprises with offices in different countries often have to implement different rules to achieve the same results.

"Some of our clients who are large financial institutions find that they have to apply different policies in different countries, because the laws are different," Shaul Efraim, vice president of marketing at Tufin, told InternetNews.com.

Page 2: Another source of pain

This article was originally published on Jun 20, 2008
Get the Latest Scoop with Networking Update Newsletter