With needs around data privacy and application management changing rapidly, many businesses have yet to master the implementation of new security standards. The challenge becomes more complex when managing objects within a multivendor security network. Each vendor has its own management platform, which often forces network security admins to define objects multiple times, resulting in a counter-effect.
First, this can be an inefficient use of valuable resources and cause workload bottlenecks. Second, it creates naming inconsistency and introduces myriad unexpected errors, leading to security flaws and connectivity problems. This raises the question: Are businesses doing enough to ensure their network objects are synchronized in legacy and greenfield environments?
What Is Network Object Management, and Why Should We Talk About It?
If you want your IT and security administrators to get buried in trivial workloads and productivity bottlenecks, having poor network object management is a great way to achieve it. Inconsistent or incorrect naming of network objects can introduce a seemingly limitless number of problems for your organization, from connectivity woes to gaps in network security that you can’t see. In this regard, poor network object management could actually be one of the biggest “insider threats” to an organization’s overall cybersecurity efforts; if object names are incorrectly paired with a particular security policy due to inconsistent naming, everything will look fine on paper until a breach occurs, and even then it might be difficult to find the vulnerability.
This is why intelligent and proactive network object management is so crucial to a multicloud strategy. On a basic level, organizations might only need to name things such as servers, IP addresses, and groups of similar objects to which fairly simple security rules might be applied. But as an organization grows, it tends to end up with more network objects than it can count, sometimes running into the tens of thousands. Even a team of dedicated IT and security professionals wouldn’t be able to monitor and update such a large number of objects, and mistakes due to avoidable human error would go through the roof. It’s easy to see how things could go wrong with a manual or legacy approach to naming network objects — and they do.
Why Network Object Management Is More Important With a Multicloud Approach
For network security policies to work effectively, so-called “objects” on the network, such as servers or groups of IP addresses, need to be named so they can be included in the policies applicable to them. One of the biggest challenges that emerges with multicloud solutions is that businesses typically end up using network traffic-filtering solutions from multiple cloud vendors. Each solution will usually have its own vendor-specific platform, forcing network and security administrators to define the objects on their network multiple times. Not only does this waste a lot of time that could be spent elsewhere in the business, but it can lead to costly errors and security gaps.
Furthermore, this opens the door to another problem — that is, name duplication. On a small scale, this is quite easily rectified by a team that knows what to look for. But for bigger organizations, name duplication can spiral into a much larger problem. It’s not uncommon for two copies of the same name to end up with two distinctly separate definitions.
For instance, let’s say we have a group of database servers containing three IP addresses that we name “DB1” and the relevant security policy is applied. Then somebody takes the “DB1” name and uses it to define data servers in another network environment, this time containing only two IP addresses. In this example, the security policy rule using the name “DB1” would look fine to even a well-trained eye because the names and definitions it contained would seem identical. But we’re now in a situation where one of these groups would apply to two IP addresses rather than three, and that will cause more problems the more the definition is used.
Best Practices
It’s always good to have a set of maintenance guidelines that can help you achieve a higher standard of cyber hygiene. To help you get there, below are some general best practices that can serve as your cleanup checklist for network object management.
- Remove duplicate objects.
- Delete expired and unused rules and objects.
- Break up long rule sections into readable chunks.
- Enforce object naming conventions.
- Delete old and unused policies.
- Document rules, objects and policy revisions.
The Takeaway
Network object management might not be big or exciting, but it’s fundamental to the safe and secure running of multicloud network environments. If a business achieves 100% accuracy in its approach to network object management, perhaps by leveraging automation and monitoring tools, there’s very little reason it can’t go on to achieve 100% network performance and efficiency.
Source: www.darkreading.com