The policing minister spoke about the need for police forces to address challenges from legacy IT systems and a lack of integrated data exchanges between the 43 separate police forces in the UK. Each police force manages large amounts of personal data and needs to share information to be effective, but currently does so manually between separate systems. The document discusses the need for police forces to adopt cloud-based systems and automation to improve information sharing and security across complex IT infrastructures in order to more effectively meet modern policing challenges.

1. The Policing Minister, Nick Hurd, spoke at the Fourth Digital Policing Summit on November 2018 during which he described now as the
pivotal time to address technical obstacles of existing police technology.
Policing is currently meeting modern policing challenges using legacy IT systems, but for how much longer? The policing landscape
remains a complex one with 43 police forces, each operating in silos, that lack integrated data exchanges. This lack of information flow
prevents reaping the benefits of efficiency enabled by automation. Additionally, Police Scotland, The Police Service of Northern Ireland,
and other national law enforcement agencies including the National Crime Agency, Border Force, British Transport Police and others are
in the same position – manually exerting themselves to achieve agility, yet increasingly obstructed by legacy IT and data silos.
Each police force and law enforcement agency is responsible for managing an extreme volume of personal data. Tasked with keeping
people and communities safe, each police force and law enforcement agency needs to share information across organisational boundaries
in order to be both efficient and effective.
In meeting those modern policing challenges, police forces continually seek greater mobility and agility. They must also grapple with
challenges caused by the explosion of digital evidence and requirements to collect, store, search against, and share structured and
unstructured data.
It is of note that after some deliberation, police forces are now adopting Cloud First Policy. This puts the police service on a data migration
journey from the physical network to the cloud, often using multiple vendors.
The increased complexity of the police’s IT infrastructure from Cloud First Policy cannot be ignored. Police forces already had a
multi-vendor, heterogenous environment with a mix of physical data centres with the more mature police forces adopting those cloud
environments. And new networking platforms further complicate the ability to deliver assured network connectivity when data is further
disparately distributed.
Some of the challenges in managing high volumes of personal data were brought to life recently by the announcement that the Information
Commissioners Officer are serving an Enforcement Notice on a large police force. The ICO made a stinging rebuke in November 2018 for
the multiple and serious data breaches relating to a ‘Gangs Matrix Database’. There are many other examples, where police forces lose
public confidence during similar security incidents that leak sensitive data – the very peoples’ data that they are meant to be protecting.
CIOs recognise correctly investing in network security is far less expensive than the cost of having a data breach from an organizational
perspective. For Chief Constables and Police and Crime Commissioners, improved network security is far better than losing public
confidence and experiencing reputational damage.
All police forces have a Senior Information Risk Officer (SIRO), typically performed by the Deputy Chief Constable due to the significance.
SIROs are highly aware of risks posed by cyberattacks and carry overall responsibility for information security.
Not only does network security need to be comprehensive, but it must also keep pace with developments in digital policing by effectively
connecting the complex police landscape.
Policing requires greater agility in many respects; from how members of the public contact the police to sharing data within and between
law enforcement organisations. Criminals are not hindered by policing boundaries and neither should the police. It is for this reason that
police forces are adjusting their Target Operating Models to address the disruptive digital challenges of modern policing.
A digitally transformed police service requires a network that is agile. Waiting for network connectivity, such as firewall changes, prevents
police forces from ever delivering swift protective responses.
White Paper
Network Security Policy Automation and Orchestration
for Policing
www.tufin.com

2. www.tufin.com
The complexity of networks is increasing, and the manual configuration of policy changes to multiple firewalls, locally, regionally, and
nationally is harrowing and time consuming. Data breaches prominently displayed on newspaper headlines are likely to increasingly
derail police forces and prevent efficient and effective policing.
The National Enabling Programme and police force IT departments therefore need to achieve the balance between agility and security.
Network security policy management is the logical answer for enabling policing with the needed agility, and compliments their legacy and
new technology through automation. Critical security changes are orchestrated in minutes rather than days, which saves valuable time for
IT departments. Gartner research has noted the benefits of effective network orchestration and automation which improves management
capabilities and operational efficiency. Other benefits of automation include increased application availability, robustness and stability
(Simon Richard, Gartner research, Effective Network Orchestration Starts by Automating Provisioning, 31 August 2015)
So this beckons the question, how do police forces and other law enforcement agencies turn network security into an enablement solution
to ensure policing effectiveness?
This paper lists the five critical steps of adopting network security automation and reviews how to address the challenges of increasing
agility and enabling the business. evolve your network security processes into agility enablement.
Step 1: Gain Visibility into the Business Requirements
Applications are required to support core policing. Depending on the size and nature of the police force, there can be tens or hundreds
of applications connected across physical network and cloud. To manage the security and ensure connectivity of these applications, the
IT teams require visibility into what the applications are, their dependencies, the criticality of each application, the services required for
access, and the application owner. Without this information, it’s impossible to deliver connectivity and ensure ongoing connectivity despite
changes to the network that may delay application launches and ongoing connectivity.
Step 2: Model the Network Topology
The next step is to have a very clear model of the network topology—what network security devices exist, where they are (i.e., specific IP
addresses), security groups (in the SDN and public cloud), how traffic routes throughout this network, the connectivity between various
points, and where connectivity drops. This model must be dynamic because the network is subject to constant change. This connectivity
information is critical because without it, how would anyone know how or where to make changes?
Step 3: Define the Organisational Security Policy
Each police force or law enforcement agency must define a comprehensive organisational security policy aligned with the external
regulatory mandates and industry standards (e.g., PNN, PCI DSS, SOX, NERC CIP, and of course GDPR); internal enterprise-wide
governance requirements; and general best practices that the enterprise observes. This security policy should define what is and isn’t
allowed for connectivity between different zones, or segments, of the network. For example, PCI DSS specifies that the cardholder
data environment must be isolated from all other network segments, unless you want the entire network to be subjected to PCI DSS
compliance. Segmenting your network and determining the permissible service types between them dictates what future connections are
permitted into the cardholder data environment.
Step 4: Create a Well-Defined, Documented Change Process
All police forces already have processes in place available through workflows in their ticketing system, and in many cases based on
the ITIL best practice framework. There are many products that manage changes , but none of them provide analysis, provisioning and
documentation of network security policy changes. In order to automate network security access requests, the change process needs to
be defined and integrated with the ITSM solution to ensure comprehensive oversight and governance of IT service management.
Step 5: Automate the Process
Automation eliminates tedious tasks and helps humans make better decisions. ‘What-if’ analysis is often used to simulate planned security
changes and assess if the expected results don’t disrupt the broader network connectivity or violate compliance before provisioning the
needed changes. Automating risk and connectivity analysis ensures that the security team only approves changes that violate the policy
and empowers the networking team to process change requests rapidly. Policy-based automation helps implement changes in minutes
instead of days accurately and securely, and ensures full documentation of every access request.

3. www.tufin.com
Ready. Set. Automate!
Once the police force has the below five achievements completed, they can then leverage automation to maximize agility and security in
a complex, hybrid network:
1. Understands its business needs
2. Has an accurate live model of network topology
3. Creates a documented security policy
4. Agrees to a formal process for processing change requests
5. Automate the process with baked-in ‘what-if’ analysis
The Tufin Orchestration Suite Delivers Network Security Policy Management
The Tufin Orchestration Suite™ fills this gap by automating the network security change process, providing police force SIROs with the
assurance that personal data is secure across physical network and hybrid cloud platforms. The suite abstracts the network infrastructure
and the business applications to analyse the risk of changes and then provisions them once approved. The APIs enable consistent
communication with other important applications of the computing environment, such as an IT service management system as seen in
the image below.
Tufin takes a policy-based approach to automate security change requests. Automation boosts security for police forces and other law
enforcement agencies, facilitates and increases agility, and ensures efficiency and effectiveness. From the application to the firewall, Tufin
enables the effective enforcement of security policy management through orchestration across physical networks and cloud platforms,
reducing the attack surface and ensuring the public confidence in policing.