The Second Step Towards Automation: Audit and Cleanup

Today’s fast-changing economic climate is pushing CISOs to do more with less while still reducing risk to their environment. Automation can play a role in increasing efficiency and improving security posture. In this blog series, Broadcom Software partner Braxton-Grant will look at the key factors to consider when implementing automation in your network.

The Importance of Auditing and Cleanup

Before you automate new or existing security policies, it’s important first to do a policy audit and cleanup. Your policy audit should cover not just what you have in your environment, but do you know what it does? Is it still applicable? If this policy has not been used in the last six months, do you still need it, is it relevant?

I look at policy rules as speed bumps in the user experience. Let’s say a customer has 1000 rules. I don’t want to go through a parking lot that has a thousand speed bumps. A policy audit and cleanup ensure that your workflows are not only secure, but streamlined. You don’t want to add more complexity or automate a mess of irrelevant policy.

The Short Shelf Life of Security Policy

Security policy should not be static for several reasons. Staff members can change and there isn't always knowledge transfer between exiting and onboarding employees. Or, the policy is too complex, which makes it difficult to support, or can quickly become out of date. It can also lack comments or documentation; without it, you don’t know the intent of the policy. Was it temporary? Was it for a week or day? 

And, of course, technologies can change. When you’re migrating from one vendor to another, it’s a good time to audit your security policy. You don’t want to carry over certain policies because you've reduced some of your network security tools.

After a successful policy audit, however, team members may still be reluctant to remove or automate certain security policies. They don’t want to accidentally take down the network or cause an outage. As a result, policy can often remain in a bit of a frozen state. To create – and automate – new policy, you need a new mindset.

Embracing a New Mindset

Automation requires everyone embrace a new mindset – not only the technical team that will be doing the work, but also your user base, who needs to be educated on the changes i.e., "Hey, your ticket flow might change. The responses you get in a ticket might change."

Automation takes stakeholder and customer participation and buy-in. For example, one of our customers had 2000 rules that had not been used in the last six months. So, our question to them was: “Do you still need them? If you don't, be sure to document what and why it was removed.” I find that the best time to conduct a policy audit is at the end-of-the-year (November, December, and January), when many organizations put a network policy freeze in place.

Get Clean

Keep in mind that policy automation is your end goal. To get there, you first need to complete your policy audit and cleanup. You're trying to centralize and streamline to reduce complexity in your environment and remove obstacles for users. You're helping the user – you're not taking away functionalities that the user needs; instead, you're just organizing it.

Over time, as staff come and go, you may find that your organization has accrued security policies that are no longer applicable. It's like throwing stuff in the closet – you don't realize how much has been acquired in there when you weren't looking. Security policy is the same way– we're trying to clean up and move the customer forward with a security posture mindset.

The cleaner – the less complex – your environment, the easier it is for your users to get what they need. You certainly don't want them to say, "Oh, I don't have this obstacle on my home network so I'm going to try and do all my work on my personal system" which is not a corporate device supported with the proper security rules and tools. The more diminished the user experience, the more likely the user will try to find creative ways to be productive that will risk your security posture. If you don't allow them to be productive within their environment, the workarounds they may resort to can open you up to risk.

Don’t Forget Stakeholder Communication and Buy-in

Again, security policies are like speed bumps – you want to be sure you remove any unnecessary or outdated rules that might reduce user productivity while still maintaining your security posture. Yet users should not be your only consideration. Once you have completed your policy audit, be sure to share your security policy change and automation recommendations and improvements with all stakeholders to get their buy-in before the final cleanup begins.