theDocumentId => 1339930 Centralized Security Policy Management Across ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Larry Alston, General Manager of Cloud, Tufin
Larry Alston, General Manager of Cloud, Tufin
Sponsored Article

Centralized Security Policy Management Across Hybrid Cloud Environments Should be an Obvious Strategy

If cloud adoption continues to grow at the anticipated rate over the next few years, the mandate to deploy a strategy that includes a centralized security policy management will also grow. Comprehensive visibility and the ability to quickly apply policies at the most granular levels will allow enterprises to embrace the agility of a more secure cloud with confidence.

When it comes to an access security strategy, too many of today's enterprises are focusing only on enforcement points such as firewalls or access brokers. This leaves a significant gap — and an increased attack surface — for hybrid environments that do not include centralized management for their security policies.

As cloud adoption continued to grow year-over-year, it was assumed that the de facto approach to on-prem security policy management of "rinse and repeat" would just work in this new environment. Instead, the rate of migration to the cloud opened up vulnerabilities that required an increasing amount of manual intervention and configuration. Managing security policies in the cloud using the same approach as on-prem was a flawed strategy.

The complexity of cloud and hybrid management has brought new challenges to the enterprise as cloud deployments can range from small, project-based virtual deployments to cloud-native solutions to full "lift-and-shift" environments.

The need to comprehensively manage security policies across cloud and hybrid environments has become critical and comes with the following mandates. Organizations must:

a) retain the agility and speed of cloud deployment,  

b) accurately project and control costs,

c) reduce risk due to misconfigurations and compliance requirements.

Like other evolving technology challenges, enterprises have tried to address these complexities in multiple ways. Many are learning the hard way as they struggle to successfully integrate and secure disparate networks.

A Flawed Approach

Most firewall vendors offer solutions to the enterprise that provide centralized policy management. These tools, however, are built with only one vendor in mind and assume that whenever you add more workloads — on-prem or in the cloud — you will continue to purchase their firewall. At the periphery it looks fine, but as many enterprises have realized, this approach is counter to a true cloud-native approach. A true cloud-native approach fosters ideals of speed, efficiency and scale, allowing organizations to reap the key benefits of cloud agility. Obscured visibility and vendor lock-in (with inadequate tooling) only limits the potential of the enterprise.

The additional control planes and multiple firewalls that define hybrid environments can open up significant risk due to misconfiguration and human error. This becomes especially true as organizations introduce additional vendors for different areas of the network, each managing policies based on their own underlying infrastructure.

The unexpected overhead costs are another issue as organizations struggle to accurately forecast cloud growth. Almost every enterprise has underestimated the speed and scale at which their cloud footprint grows. This growth has blindsided many IT budget holders when overhead costs increase exponentially with each additional agent and control plane introduced by firewall vendors—all intended to centralize security policy management.

A Simpler Approach

There is a way to manage the cost and complexity. Security policy management across entire hybrid cloud environments can be simplified using a single vendor-agnostic solution. Cloud-mature enterprises often state that their path to the cloud started with the intention to save costs. Quickly, however, the inherent agility of cloud adoption surpassed the economic drivers. The most sophisticated enterprises recognized that a vendor-locked network does not aid agility and adds overhead, diminishing the goal of reduced operational costs.

A vendor-agnostic solution that centralizes security policy management enables an enterprise through:

Visibility: End-to-end visibility of the entire network allows the enterprises to understand "who is talking to whom" and eliminate blind spots. It does not limit the visibility to only those aspects of the network under a certain control plane but provides a clear view across on-prem, public and private cloud environments from multiple vendors.

Security Guardrails: Comprehensive visibility of the network ensures newly created policies address security gaps and reduce risk while simultaneously granting more granular control.

Compliance Control: Central policy management addresses the issues caused by siloes, a major issue in the cloud as the environment is micro-segmented. Compliance requirements can be met across all environments in the enterprise network, easing the ongoing challenge for security teams.

Automation: A major avenue for agility in cloud is the continuous integration and continuous delivery (CI/CD) pipeline. With automation at the core of cloud deployments, centralized security policy management assists the CI/CD pipeline by introducing security earlier in the cycle, avoiding delays down the road due to non-adherence to policy.

The goal of a centralized security policy management strategy should be to ensure agility is unimpeded, economic efficiency is maintained, and complexity due to misconfiguration is eliminated.

The second part of the "Security Policy Management in the Cloud" series is available here. 

About the Author: 

Larry Alston, General Manager of Cloud, Tufin: Prior to joining Tufin in 2019, Larry Alston previously held senior and executive management roles at Teradata, Altisource, FuseSource, IONA, and Excelon. As Tufin champions the adoption of security policy management in the cloud, Alston is responsible for all aspects of Tufin's cloud-native business.


Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-07-28
This affects all versions of package curly-bracket-parser. When used as a template library, it does not properly sanitize the user input.
PUBLISHED: 2021-07-28
All versions of package deepmergefn are vulnerable to Prototype Pollution via deepMerge function.
PUBLISHED: 2021-07-28
This affects the package elFinder.AspNet before 1.1.1. The user-controlled file name is not properly sanitized before it is used to create a file system path.
PUBLISHED: 2021-07-28
IBM Jazz Foundation products are vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. IBM X-Force ID: 192434.
PUBLISHED: 2021-07-28
IBM Jazz Foundation products are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 192957.