For IT staff in global enterprises, adding a new employee is far more
involved than finding a desk and a chair for the new hire.
Typically, it means huddling over spreadsheets, muttering to themselves
as they figure out what changes to make to access rights and policies while
taking into account a labyrinthine array of legal, departmental and
compliance rules.
Multiply that scene by thousands of users, spread over different
countries, and you have the massive, frequently chaotic process that takes
place practically every week in major companies.
In response, firewall vendors are looking to help IT fight back using
policy management automation solutions, designed to simplify the task of
managing policies — and minimizing the risk of human error.
AlgoSec this week unveiled FireFlow, which automates policy change
management and integrates with existing processes — such as the e-mail and
Web-based forms typically used by department heads to request adding or
removing a user’s access.
News of AlgoSec’s new release, which is due to ship next quarter, comes a
few weeks after rival Tufin Technologies announced version 4.2 of its
flagship SecureTrack product. Tufin also announced SecureChange Workflow, an
offering targeted specifically at security policies.
A routine process fraught with challenges
Each solution takes aim at the mundane but necessary task of managing
user accounts — a chore growing more time-consuming and prone to problems
thanks to global offices, mounting regulatory policies and increasingly
outdated processes.
Typically, enterprise groups use e-mail and Web- or paper-based forms, to
request changes, which are then recorded and carried out by corporate IT.
“The process was basically manual — you send an e-mail saying ‘Please
add this user to whatever’ and it was a slow, disjointed process,” AlgoSec’s
vice president of marketing, Aimee Rhodes, told InternetNews.com.
Burton Group senior analyst Pete Lindstrom agreed. “It’s common to put in
e-mail requests or log changes in an Access database or a spreadsheet,” he
told InternetNews.com.
But a manual process becomes a major chore when large companies’ IT
staffs have to weigh thousands of policy rules governing which employees can
access certain resources.
“It’s not uncommon for folks to have 40,000 to 50,000 rules across
hundreds of firewalls in today’s large environments, and having a dedicated
application to manage them is gold,” Lindstrom said.
When coupled with a sprawling, international staff, this process of
tracking user rights and privileges often proves even more taxing.
“We have lots of customers in the financial sector that are globally
based, and they’re making two to three changes to policies a week,” Rhodes
said.
In addition to having to manage the sheer volume of requests, the problem
is often exacerbated by regulatory and other legal concerns facing large
companies.
For instance, global enterprises with offices in different countries
often have to implement different rules to achieve the same results.
“Some of our clients who are large financial institutions find that they
have to apply different policies in different countries, because the laws
are different,” Shaul Efraim, vice president of marketing at Tufin, told
InternetNews.com.
Page 2: Another source of pain
Page 2 of 2
Another source of pain
Global enterprises have another source of pain — they have multiple systems administrators throughout
the enterprise, all making policy changes.
This makes it difficult to enforce a comprehensive enterprise-wide set of
rules because often the left hand doesn’t know what the right hand is doing.
In addition to automating policy change and management, both vendors’
products help ensure licensing and regulatory compliance by logging all
requests and actions taken.
For one thing, enterprises have been clamoring for an automated solution
in response to the task of managing software licenses, particularly amid
the growing threat of an audit.
Additionally, recent months have seen businesses scrambling to comply
with new Payment Card industry (PCI) regulations (such as PCI-DSS)
“In the enterprise, it makes sense to have the workflow laid out and
dedicated to change management, especially with PCI, and it makes things a
lot easier to have automation,” he said.
The vendors’ solutions also check new policies against a rules base to
minimize duplication.
“What AlgoSec and Tufin are doing is useful because we now need to make
sure that all the rules are aligned with other and not conflicting, or too
broad or narrow for their purposes,” Lindstrom said.
Added Tufin’s Efraim, “This is a big PCI requirement; if there’s no
business need for a rule you have to get rid of it and rule usage analysis
does this.”