Firewall Vendors Look to Automate Policy Changes

By Richard Adhikari | Jun 20, 2008 | Print this Page
http://www.enterprisenetworkingplanet.com/news/article.php/3754386/Firewall-Vendors-Look-to-Automate-Policy-Changes.htm

For IT staff in global enterprises, adding a new employee is far more involved than finding a desk and a chair for the new hire.

Typically, it means huddling over spreadsheets, muttering to themselves as they figure out what changes to make to access rights and policies while taking into account a labyrinthine array of legal, departmental and compliance rules.

Multiply that scene by thousands of users, spread over different countries, and you have the massive, frequently chaotic process that takes place practically every week in major companies.

In response, firewall vendors are looking to help IT fight back using policy management automation solutions, designed to simplify the task of managing policies -- and minimizing the risk of human error.

AlgoSec this week unveiled FireFlow, which automates policy change management and integrates with existing processes -- such as the e-mail and Web-based forms typically used by department heads to request adding or removing a user's access.

News of AlgoSec's new release, which is due to ship next quarter, comes a few weeks after rival Tufin Technologies announced version 4.2 of its flagship SecureTrack product. Tufin also announced SecureChange Workflow, an offering targeted specifically at security policies.

A routine process fraught with challenges

Each solution takes aim at the mundane but necessary task of managing user accounts -- a chore growing more time-consuming and prone to problems thanks to global offices, mounting regulatory policies and increasingly outdated processes.

Typically, enterprise groups use e-mail and Web- or paper-based forms, to request changes, which are then recorded and carried out by corporate IT.

"The process was basically manual -- you send an e-mail saying 'Please add this user to whatever' and it was a slow, disjointed process," AlgoSec's vice president of marketing, Aimee Rhodes, told InternetNews.com.

Burton Group senior analyst Pete Lindstrom agreed. "It's common to put in e-mail requests or log changes in an Access database or a spreadsheet," he told InternetNews.com.

But a manual process becomes a major chore when large companies' IT staffs have to weigh thousands of policy rules governing which employees can access certain resources.

"It's not uncommon for folks to have 40,000 to 50,000 rules across hundreds of firewalls in today's large environments, and having a dedicated application to manage them is gold," Lindstrom said.

When coupled with a sprawling, international staff, this process of tracking user rights and privileges often proves even more taxing.

"We have lots of customers in the financial sector that are globally based, and they're making two to three changes to policies a week," Rhodes said.

In addition to having to manage the sheer volume of requests, the problem is often exacerbated by regulatory and other legal concerns facing large companies.

For instance, global enterprises with offices in different countries often have to implement different rules to achieve the same results.

"Some of our clients who are large financial institutions find that they have to apply different policies in different countries, because the laws are different," Shaul Efraim, vice president of marketing at Tufin, told InternetNews.com.

Page 2: Another source of pain

Page 2 of 2

Another source of pain

Global enterprises have another source of pain -- they have multiple systems administrators throughout the enterprise, all making policy changes.

This makes it difficult to enforce a comprehensive enterprise-wide set of rules because often the left hand doesn't know what the right hand is doing.

In addition to automating policy change and management, both vendors' products help ensure licensing and regulatory compliance by logging all requests and actions taken.

For one thing, enterprises have been clamoring for an automated solution in response to the task of managing software licenses, particularly amid the growing threat of an audit.

Additionally, recent months have seen businesses scrambling to comply with new Payment Card industry (PCI) regulations (such as PCI-DSS)(define), which has proven a major headache for IT admins, Lindstrom said.

"In the enterprise, it makes sense to have the workflow laid out and dedicated to change management, especially with PCI, and it makes things a lot easier to have automation," he said.

The vendors' solutions also check new policies against a rules base to minimize duplication.

"What AlgoSec and Tufin are doing is useful because we now need to make sure that all the rules are aligned with other and not conflicting, or too broad or narrow for their purposes," Lindstrom said.

Added Tufin's Efraim, "This is a big PCI requirement; if there's no business need for a rule you have to get rid of it and rule usage analysis does this."

Article courtesy of InternetNews.com