This document discusses increasing security maturity through an application-centric approach. It presents a security policy management maturity model with four levels related to network visibility, application mapping, security posture, change management, auditing, decommissioning, and team alignment. Higher levels involve more automated, continuous processes. Understanding application architecture and autodiscovering applications is key to advancing through the levels. Risk identification and application migrations can then be managed more securely.
2. AGENDA
• The Security Policy Management Maturity Model
• Understanding Application Architecture
• Autodiscovery for Applications and their Connectivity
• Identifying Risk Within Applications
• Migrating Applications to a New Data Center
3. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment betweensecurity,
network and service delivery
teams
3 | Confidential
Level 1
Level 2
Level 3
Level 4
Understanding the components of the
Security Policy Management Maturity Model
Increasing maturity
4. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
4 | Confidential
•Live and dynamically updated map •Network and Security view
5. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
5 | Confidential
•Application Documentation •Integrated Risk and Change Mgt View
•Business Impact
Be prepared for Software Defined
Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
6. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
6 | Confidential
•Continuous compliance procedures
•Compliance score
•Security policy risks
•Application risk
7. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
7 | Confidential
•Automated process
•Segregation of duties
•Embedded risk checks
Plan
Approve
ImplementValidate
Close
Request
1 2
3
4
6
5
2
Notify
Requester
Each Firewall Policy is automatically
analyzed to see if request is already allowed
3
4
•Add a new rule?
•Modify an existing rule?
•Create new objects?
•Automatically document the rule change
5
6
Automatic “Push” to reduce
misconfigurations
8. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
8 | Confidential
•Understand what changed, and who did it
•Don’t forget about changes in risk
•Look at the big picture
•Have granular audit details
9. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment between security,
network and service delivery
teams
9 | Confidential
•Reduce complexity
•Map applications and automate the process
•Security policy bloat over time
•Have a process to decommission
Start the decommission process when
you first make the request with
“rule re-certification”!
Please decommission this application!
Legacy WebAccess Application
#6757 Firewall Change Request to remove WebAccess application
10. THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Application to security mapping
Security policy posture
Security change management
Network infrastructure auditing
Secure decommissioning
of application connectivity
Alignment betweensecurity,
network and service delivery
teams
10 | Confidential
•Common goals for the business
•Application alignment between groups
•More agile
•Reduce risk
The back and forth exchange to
clarify information can add days
into a single security policy
change request!
Collaboration can occur when
each party sees the information
in their native language
Service delivery Networking Security
Different views of the same application
11. 11 | Confidential
THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Static map
(E.G. Visio)
Map updated
periodically
Live map
Live map across on
premise, SDN and cloud
Application to security mapping None
Application
architecture
documented
Application Risk
identified within all
app components
App connectivity changes
seamless integrated with
Security Processes
Security policy posture Poor Fair Good Excellent
Security change management
Manual.
Error-prone
Mostly manual.
Some errors.
Mostly automated.
Few errors
Automated policy push
Virtually error-free
Network infrastructure auditing Manual. Costly.
Some automation.
Costly.
Automated
and continuous
Automated
and continuous
Secure decommissioning
of application connectivity
Never Rare Occasional Always
Alignment betweensecurity,
network and service delivery
teams
Poor Fair Good DevSecOps
Level 1
Level 2
Level 3
Level 4
12. 12 | Confidential
THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Static map
(E.G. Visio)
Map updated
periodically
Live map
Live map across on
premise, SDN and cloud
Application to security mapping None
Application
architecture
documented
Application Risk
identified within all
app components
App connectivity changes
seamless integrated with
Security Processes
Security policy posture Poor Fair Good Excellent
Security change management
Manual.
Error-prone
Mostly manual.
Some errors.
Mostly automated.
Few errors
Automated policy push
Virtually error-free
Network infrastructure auditing Manual. Costly.
Some automation.
Costly.
Automated
and continuous
Automated
and continuous
Secure decommissioning
of application connectivity
Never Rare Occasional Always
Alignment betweensecurity,
network and service delivery
teams
Poor Fair Good DevSecOps
Level 1
Level 2
Level 3
Level 4
If we understand the application
architecture and how it traverses the
network, we can dramatically increase
our maturity in these areas and be
prepared for Software Defined
Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
13. 13 | Confidential
THE SECURITY POLICY MANAGEMENT
MATURITY MODEL
Network visibility and mapping
Static map
(E.G. Visio)
Map updated
periodically
Live map
Live map across on
premise, SDN and cloud
Application to security mapping None
Application
architecture
documented
Application Risk
identified within all
app components
App connectivity changes
seamless integrated with
Security Processes
Security policy posture Poor Fair Good Excellent
Security change management
Manual.
Error-prone
Mostly manual.
Some errors.
Mostly automated.
Few errors
Automated policy push
Virtually error-free
Network infrastructure auditing Manual. Costly.
Some automation.
Costly.
Automated
and continuous
Automated
and continuous
Secure decommissioning
of application connectivity
Never Rare Occasional Always
Alignment betweensecurity,
network and service delivery
teams
Poor Fair Good DevSecOps
Level 1
Level 2
Level 3
Level 4
If we understand the application
architecture and how it traverses the
network, we can dramatically increase
our maturity in these areas and be
prepared for Software Defined
Networks (SDN) such as Cisco ACI
(Application Centric Infrastructure)
As well as increase our business agility!
14. BUSINESS APPLICATION ARCHITECTURE
• One of the biggest challenges in IT is to understand
application architectures
• Just like security, networking, and other IT
components, they can be complex
• There are many different components, and here’s a
simplified view
• Browsers (IE, Chrome, FireFox, etc)
• Fat or thick clients (SAP, etc)
• Web Servers (Apache, MicroSoft IIS, etc)
• Middleware (Oracle WebLogic, Fusion, IBM WebSphere, etc)
• Database Servers (Oracle, SQL Server, DB2, MongoDB,
Hadoop, etc)
• If we understand the application architecture then we
understand how to secure the environment and create
business agility when a change is needed
Client Tier
Web Tier
Business Logic Tier
Database Tier
15. IDENTIFYING BUSINESS APPLICATIONS
• How do you get a picture of the application and its components?
• Ask the application developer…they will know a few pieces
• Ask the sysadmin…he know what software was loaded, but…
• Ask the DBA…he just left…
• Ask the middleware engineer…They deal with a lot of applications, which one?
• Look in the CMDB…this has stale information from 5 years ago…
• It’s really hard!!
Client Tier Web Tier Business Logic Database Tier
16. DEFINING THE APPLICATION ARCHITECTURE
Obtaining application architecture
information
• Import DB tables through CSV files
• Sensors, Probes or Packet Brokers
which get data from:
• port mirroring
• promiscuous mode on an ESX server
• host-based (local) sensor on an
application server
• data captures in PCAP, TCPDUMP and
NetFlow format
• Capturing syslog traffic
• Existing security policy
Let’s look at this one first…
18. FIREWALL POLICY
You’ve documented your application!!
Information can be pulled from Section Headers,
Comment Fields, Object Names, Services, etc
19. AUTO DISCOVERY OF BUSINESS APPLICATIONS
• Another method to consider is
“Autodiscovery”
• Why?
• Because it happens dynamically
• You don’t need to rely on tribal
knowledge that left the company
• The application is comprised of many
different components that are difficult
for one individual to describe for you
• Because your applications run your
business and if it breaks, you need to
figure out where to fix it
• It can help you automatically identify
changes to the application behavior
over time
20. • Autodiscovery can happen in a
variety of forms
• The goal is to capture the
relevant information in order to
build an application diagram
DISCOVERING EXISTING APPLICATIONS
Easily discover existing application connectivity flows
Packet
Broker
ESX Server
Host base sensor
On Application Server
Now that we have the application described, how can we identify
the risks involved with the application?
21. • How risky is the application?
• Overall application
• Components of the application
• Access to the application
• Identifying the application
components helps you gain
visibility into the risk of the
entire application
• Measure the risk, just like any
other corporate process
RISK AND THE APPLICATION
22. • Applications can have labels
and priorities
• Application vulnerability scores
can be summarized
IDENTIFY RISK WITHIN CRITICAL BUSINESS APPLICATIONS
23. • Application component risk
• Applications have many
components
• Web server
• Database server
• Middleware
• NTP server
• DNS
• etc
• Unscanned servers
• You don’t know what kind of risk
you have here, or if there is
malware on these systems already
WHAT OTHER RISKS DO WE HAVE?
24. • Measuring Risk helps application developers
understand security’s view point to help
prevent a data breach
• Integrate the vulnerability assessment
scanning data into the application
architecture
• Qualys, Rapid 7 and Nessus scanners + more
• Helps requestors know what parts of their
application are vulnerable to breaches
“RISK” CAN BE ADDED WHEN PERFORMING FIREWALL CHANGE REQUEST
• The red highlight critical risk
• The yellow highlighted
medium risk
• The gray identified serves that
were not scanned
25. CONSTANTLY TRY TO IMPROVE YOUR SCORE
• By measuring your application risk you
can maintain a process to reduce it
over time
• Certain components of the application
will be more critical than others
• Prioritize your remediation strategies
to accomplish your goals for risk
reduction
• How risky is it to migrate your
application?
26. MIGRATE APPLICATIONS TO NEW DATA CENTER
• Identify Applications
• Extract relevant components
• Map new IP information
• Automatically prepare firewall
changes for new connectivity
• Implement changes
• Decommission old rules
27. HELP DESK APPLICATION
1. This is the application to migrate
2. Identify the flows
3. Identify the relevant servers
4. Prepare change requests
Help Desk Application1
2
28. MIGRATING THE HELP DESK APPLICATION
Extract required servers and
prepare them for the
planning stage
Help Desk Application
3
30. SMS SERVER DC1 HAS A NEW DEFINITION
• Understanding the architecture helps you identify what components
need to talk to each other
• If this server moves to a new location, these flows will be affected
31. WE
We have the server definitions defined, but now
we need to update the application
40. SUMMARY
• Increase your security policy management maturity by mapping your
application architecture
• This will give you better security visibility and also business agility
• Try to progress your maturity in a consistent manner
• Include risk analysis for your application visibility
• Mapping applications can accelerate your data center and cloud
migration goals!!
40 | Confidential