Overlapping shields of security
Posted by randallgamby on May 7, 2009
A few days ago a friend of mine contacted me because they were excited about a new product they found. While I’m not normally into product evaluations without a specific set of requirements to judge them by, I took a look and, while I can’t say whether the product is good or bad, the ideal certainly deserves mention.
The products are by Tufin Technologies headquartered in Ramat Gan, Israel (as it seems a lot of security and identity management products are). Basically the premise of their products is around centralized policy and configuration management of policy-driven networks creating consistent security across the organization’s boundaries.
These products seem to address an issue that’s always come up when looking at configuration of security devices and systems in a large organization, consistency. It’s a fact that each vendor has their own management utilities, with their own “language” to write the configurations. As the security infrastructure grows this leads organizations to what I call “a failure in overlapping the shields of security”.
Let me give an example of what I mean… If we go back to ancient Greece, one of the most successful “defensive” armies was the Spartans. And their number one defense was a series of front-line soldiers welding shields with each Spartan’s shield overlapping the next. Between these shields, the next line of soldiers would stick out their long pikes thus creating an almost impenetrable defense against the armies of the day. This was such a successful configuration that 300 Spartans held off over 200,000 Persians at the Battle of Thermopylae in 480 BC (by the way a great movie). But there’s a catch in order to make this work, the Spartans lived together and trained together from childhood to adulthood. Each man trusted the next more than their own family and if there was ever a group that fought “as one” it was the Spartans. Each soldier knew deep within them that if they didn’t maintain their position then the rest was doomed.
Jump forward to today. In most large organizations I’ve found that the defense of the organization is divided into many administrators holding a “shield of security”. One in Germany maintains the firewall and network there, another in the U.S. does compliance, another one does roles-based access, others do system-level security, etc. But unlike the Spartans, today’s defensive “soldiers” work independently, or at best, loosely communicate. So the CISO creates a new policy around enforcement. Each administrator takes this security directive and “translates” this into their vendor’s security language and configures their system or network. So what’s the problem? Well, since the administrators don’t necessarily get in a large group and decide how this policy should be deployed (fight “as one”); each “interprets” the meaning of the policy and configures their device or system “just a little bit different”. So when you look at the line up of defense in support of the policy, the “shields” don’t always line up causing “gaps in the defense”. One administrator puts in too much defense bogging down the business functions, one administrator puts in too little defense increasing the possibility of a security event, and another administrator puts in just the right amount of defense but they don’t align with the other administrators’ actions. So instead of having an “overlapping shield of security”, the organization ends up with a series of defensive positions with gaps and/or too much overlap, but not a consistent level of security.
So back to Tufin… What this company has done is created what I might call a “configuration and policy gateway and monitoring utility”. Through a single interface (with multiple deployment choices, appliance, software or virtual), various devices, systems, applications etc. can be monitored using the end system vendor’s own management utility interface to ensure consistent policy enforcement is being done across the organization. The policy and enforcement information is also monitored and correlated to produce reports and to flag security policy discrepancies and changes. In concept I think this is a great idea, in implementation, I can’t say I know enough about the product to say (Like how do you ensure it’s interpreting policy correctly for comparison to other devices? What does it take to hook into the existing infrastructure? Who owns this thing? What if a vital policy is missing, how do you know? etc.). But again, I’m for consistency, understanding changes being made and monitoring of the security functions of the organization. So if you are having problems in any of these areas, Tufin’s definitely worth a look, and then YOU can decide if they’re a good fit.