Shulou(Shulou.com)05/31 Report--

This article shows you an example analysis of network security policy management technology NSPM, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Safety cattle review

The network security capability of an enterprise is more of a management capability. In the face of the new challenges brought by the epidemic and digital cloud transformation: attack surface growth, IT complexity, fragmentation, shadow, the biggest challenge facing the enterprise network security department is the centralized and effective control of dynamic risks. The network security policy management technology is like an enterprise's integrated air and ground traffic command system, which coordinates and manages local and cloud security policies, and provides a unified security management platform for security team, network IT team and cloud computing operation team, which can highly visualize applications, networks, loads and devices. It is self-evident that IT and security cooperate seamlessly. Starting from the current situation and requirements of network security and risk management, the following in-depth introduction of the concept, composition, pattern, advantages and disadvantages, risks and procurement needs of NSPM.

Network security policy management tools can help security managers to meet a variety of usage scenarios by realizing centralized visibility and control of security policies, risk analysis, real-time compliance and application mapping across hybrid networks.

An overview of the main findings

Although the network firewall operation and maintenance team provides a number of firewall centralized management solutions, there are still many problems.

Enterprises are not ready to demonstrate the same level of security policy consistency as intranets in hybrid cloud environments.

Developers who use self-service IaaS often use the built-in capabilities of cloud providers, and network security teams do not have visibility and control.

It is often difficult for network and security teams to understand the connectivity of key applications in digital services and microsegmented work.

Mitigating real-time risk is a goal of enterprise security teams, but it is difficult for teams in a multi-vendor environment to achieve this goal.

Suggestion

Security and risk management leaders responsible for network and endpoint security, vulnerability management, and DevSecOps, which drives business value, should:

Identify major and adjacent use cases and discuss with all relevant business executives how to effectively use tools and subscriptions.

Evaluate the ability of network security policy management (NSPM) vendors to integrate with target systems such as IT service management tools, security appliances, and cloud platforms through a vendor proof of concept.

Implement and train the supplier's professional services to manage and run the tool effectively.

Work with the application development and Iambio teams to identify existing and short-term roadmaps for private and hybrid cloud adoption, as well as any security requirements related to DevOps spontaneity and compliance requirements.

Strategic planning hypothesis

By 2023, at least 99% of cloud security failures will be the customer's own fault.

By 2023, 99% of firewall vulnerabilities will be caused by misconfiguration of the firewall, not by defects in the firewall itself.

By 2021, more than 75% of large and medium-sized enterprises will adopt multiple cloud and / or hybrid IT strategies.

By 2023, more than 25 per cent of enterprises using multiple IaaS providers will deploy third-party security and differential segment controls rather than relying solely on built-in IaaS controls, which is currently less than 5 per cent.

Analysis.

Although several network security vendors have centralized management platforms, the network security team is still trying to manage these multi-variety and multi-vendor security policies in order to maintain full visibility in heterogeneous environments. Maintaining continuous compliance is becoming an even bigger challenge. With the expansion of enterprises, these networks and their needs are also growing. The network is expanding to both private and public clouds. At the same time, the shift to rapid application development through DevOps enables enterprises to deliver faster while ensuring security. As a result, enterprises are looking for ways to more automate and integrate network security management into DevOps to help them meet growing business needs. By meeting these use cases with network security management tools, security and risk management leaders can leverage NSPM solutions to help manage the increased complexity in today's environment.

Define

Network security policy management tools go beyond the user policy management interface provided by firewall vendors. NSPM provides analysis and auditing for rule optimization, change management workflows, rule testing, compliance assessment, and visualization, typically covering multiple network paths using visual network mappings of device and firewall access rules. NSPM tools are typically included in suites and include adjacent functions such as application connection management, policy optimization, and risk-oriented threat path analysis.

Description

NSPM tools provide security operations (SecOps) functions primarily through integration with multiple network security products. These tools have the potential to meet a variety of network security and application management use cases. The NSPM tool extends visibility and security policy management capabilities to both public and private cloud platforms. By far, though, managing security policies for public and private clouds is an evolving technology that supports only a limited number of cloud platform providers, the most commonly used of which include VMware NSX, Amazon Web Services (AWS), Microsoft Azure, and sometimes OpenStack. In addition to network security policy management functions, these tools also provide application discovery and connectivity capabilities. Because these tools can communicate with major network devices, such as routers, switches, and load balancers, they can also analyze network security risks and perform vulnerability assessments.

The key components of these products are (see figure 1):

1. Security Policy Management of Multi-vendor Firewall and Network Security equipment

two。 Change management system

3. Risk and vulnerability analysis

4. Application connection management

Figure 1. Components of network security policy management tools

Source: Gartner (February 2019)

NSPM tools provide integration and automation with multi-vendor security products and solutions. Vendors are extending integration to some of the following solutions:

Network security devices (firewalls, routers, switches, etc.)

IT service management solution

Public IaaS platform

Software defined Network (SDN) platform

Container network

Vulnerability scanner

DevOps Automation tool

Security Information and event Management (SIEM)

Security Coordination, Analysis and reporting (SOAR)

Through these tools that provide the above functions, they can help enterprises meet a variety of usage scenarios.

These tools automate network security operations through risk analysis while maintaining continuous compliance. As the network evolves, these tools are clearly providing access to and control over public and private cloud platforms; that is, centralized visibility and control in a hybrid network that has always been a gray area of the network security operations team. Through application visibility, these tools provide a common platform for applications and information security teams to collaborate and deliver faster.

Advantages and use

The main functions of the NSPM tool are

Firewall rule management: this provides centralized planning for firewall rules in multi-vendor and multi-firewall environments, making it easier to create and push rules centrally. The firewall policy manager helps identify redundant, hidden, overlapping, and conflicting rules based on use cases. Users can make use of the filtering function of all firewalls to conduct centralized search according to different rule components (object, port, IP address). Vendors in this area also provide an advanced search feature that supports metadata. Advanced search also provides granular features such as configuration comparison, audit trail, reporting, and automatic change management between two devices.

Centralized policy management and visibility: this feature helps enterprises gain centralized visibility and control of network security policies across the network. Visibility controls extend to third-party network security devices such as routers, switches, load balancers, and native controls of private and public cloud vendors. This is a very useful feature for hybrid networks because it also supports native policies in both local SDN and public IaaS platforms. Therefore, the network security team can manage and control micro-segment network security policies across the network.

Automate change management: NSPM tools have a built-in change request system and can also be integrated with third-party ITSM vendors such as ServiceNow. Change control is used to make requests or changes to existing rules for new rules. Dedicated or unapproved workflows and paths can be highlighted before the NSPM is approved or disapproved. These tools also provide complete end-to-end automation for general rules. The vendor also provides restfulapi to integrate with other solutions such as SOAR automations. For example, SOAR automation can include a call to NSPM API to isolate firewall ports that specify IP addresses due to detected infections. The NSPM tool will process the request and record the changes.

Topology mapping and path analysis: this feature creates virtual mappings of the network and provides connectivity visibility and scene modeling capabilities. While drawing the traffic graph, it also helps to keep the connection and the network security situation map up-to-date, which is a difficult task to achieve. This feature has been extended to hybrid environments and provides mapping and visibility between private and public cloud environments, making it an important choice for these tools.

Review and compliance management / reporting of security policies: these tools have multiple built-in compliance profiles that alert you when guidelines are violated. Users can create their own custom security guides according to their own standards. This helps maintain all policies and compliance and regular reviews, and makes the external audit experience easier. These tools help identify compliance gaps in real time and support workflows to correct existing rules that have been violated. An alert is generated in the event of any compliance violation, especially during any new change request. Users can extract compliance-based reports when needed and use them for audit purposes.

Application discovery and connection management: the NSPM tool provides application visibility into network security policies. This helps to change the request based on the application, not just the IP address request. Visibility into application usage helps identify active applications and deactivate inactive applications. The end-to-end connection of an application helps identify and change all the network components involved in running the application (application servers, firewalls, load balancers) without breaking any connections. Some vendors also provide application migration workflows to migrate applications securely.

Vulnerability and risk assessment: the risk assessment feature lists risks and vulnerabilities in existing network security policies and configurations based on priority. It also helps to identify the risks associated with new change requests before approving any changes. The NSPM tool integrates with third-party vulnerability scanners to import results and make them part of the workflow and identify risks based on vulnerabilities. Some vendors provide more advanced capabilities in this area to perform ongoing risk and impact analysis by integrating with products such as asset and patch management solutions and threat intelligence platforms. These vendors provide automated workflows to run scans and make changes based on risk. They also provide risk-based ratings to facilitate impact analysis by security and risk management leaders.

Because NSPM tools provide a variety of functions, they have the potential to satisfy multiple business use cases. Key use cases for the NSPM tool are as follows:

Key use ca

1. Centralized management of multi-category / multi-brand firewall rules

Ideally, the network security and operations team will deploy a single-brand firewall to minimize management complexity and the possibility of misconfiguration. However, the reality is that every organization now has heterogeneous needs. Multi-brand is already a reality in companies with the following situations:

Grow through mergers and acquisitions

Using cloud native firewalls in a public cloud or SDN environment

Phased deployment of new firewall brands around the world

Have a decentralized IT in which different firewall selection decisions are made according to different business units or geographic location

In this case, the network security and operations team and auditors will face a complex set of rules, administrative consoles, and piecemeal firewall reports.

The concept of NSPM was originally developed to meet this challenge. As firewall vendors gain market share, NSPM tools build the ability to uniformly understand and manage their policies. Using NSPM as a single source of management truth helps the network security team reduce complexity and clearly see potential configuration problems (see figure 2).

Figure 2. Manage centralized interfaces for multi-category and multi-vendor firewalls

Source: Tufin

2. Visibility and management of network security policies across hybrid and multi-cloud environments

As the network grows into hybrid or multi-cloud environments, achieving visibility on these platforms is an increasingly serious challenge, making it almost impossible for network security operations teams to manage and maintain the right network security policies in these environments. The network security team needs more visibility and control over local and third-party network security controls.

NSPM solutions provide visibility and centralized management of security devices such as firewalls and cloud native security configurations across multiple vendors. This helps simplify the management of security policy rules across the enterprise and reduce security risks caused by misconfiguration of security devices. Vendors are extending this support to hybrid and public clouds to enable centralized management of policies and rule sets in all enterprise infrastructure environments (see figure 3).

Figure 3. Topological Mapping across mixed environments

Source: Skybox

3. Differential segment

Because of the lack of visibility and understanding of network flows and connections across different applications and environments, network security operations teams often see microsegmentation as a challenge. At the same time, differential segment has become a key measure to alleviate the risks related to east-west traffic. The security team needs to understand all native and third-party controls on the network, as well as application connection mapping, in order to successfully implement and maintain microsegmentation. It is also important to maintain multiple levels of compliance.

The NSPM tool provides centralized visibility and control over different networks, third-party firewalls, and application connections so that network security teams can apply microsegmentation while maintaining compliance. With the support of the hybrid network team, the security team can centrally view and control the local policies of the SDN and public cloud platforms without logging in to several different controls. All changes are tracked and any violations are highlighted so that they can be fixed without damaging the application. Although many different devices, networks, and applications are involved, these functions work together to help enterprises maintain effective microsegmented control.

4. Continuous audit and compliance of security policy

Sensitive data and associated security controls are increasingly dispersed among multiple environments and vendors. Different regulations, such as the Sarbanes-Oxley Act (SOX), the payment Card Industry data Security Standard (PCI DSS), the General data Protection regulations (GDPR) and the Health Insurance Portability and liability Act (HIPAA), require companies to demonstrate compliance on a regular basis. Without an automated way to verify auditor compliance, the network security team must spend time manually checking and validating controls in multiple locations.

The NSPM solution provides a variety of off-the-shelf compliance profiles that can alert you when a policy violation occurs or provide a dashboard that displays real-time compliance status. Creating custom security guidelines specific to enterprise policy is a feature that extends beyond fixed general compliance templates. For example, if a company is worried that sensitive data stored in a local storage area can be accessed externally, it can create a custom compliance rule that will detect the exposure of data to the public Internet at any time (see figure 4).

Figure 4. Customized sample evaluation report

Source: FireMon

5. Change management and automation of network security operation

Network security teams that use manual change procedures to update security policies often find responding to security events and following the change management process cumbersome and error-prone. Making changes quickly and safely is the key to protecting the uptime of the company while ensuring that the environment is protected. Therefore, the change management system of NSPM tools is one of the most important components.

NSPM vendors provide a built-in change control system that supports the entire cycle of change management to allow controlled changes and prevent unplanned downtime. Change control is used to request new rules or changes to existing rules. Once a request is made, they perform a traffic analysis and then list all hops (gateways, servers) associated with this change. The change management system examines the request and issues an alert if any standard is violated; it also highlights any risks associated with the change. Once all alerts and risks have been resolved, the request is approved and implemented. This allows the administrator to temporarily hold changes that occur automatically during a narrow change window.

You can also perform a change impact analysis before implementing new changes. This feature provides users with a simulated environment in which you can analyze the impact of the changes before seeking further approval. It also enables users to skip any change process and automate routine daily rules that may not require approval or risk analysis. Therefore, end-to-end automation can be implemented for selected rules (see figure 5).

Figure 5. Change Management Workflow

Source: Gartner (February 2019)

6. Migration

In 2019, data centers and networks are in a state of constant change. To improve efficiency and flexibility, organizations are adopting network principles designed by software and moving workloads to public clouds-often multiple public clouds. Migrating applications to the cloud or other data center without disrupting application connectivity or creating security vulnerabilities is a challenge. Continuous infrastructure evolution leads to a chaotic network security policy environment in which network security and operations leaders scramble to keep firewall policies up-to-date and relevant.

The NSPM solution provides a way to attach management policies to a specific application, regardless of where the application resides. NSPM describes the application flow before, during, and after the application migration, ensuring that the communication flow remains uninterrupted throughout the process. These solutions help plan, execute, and track all phases of the migration project from a security and connectivity perspective. After migration, NSPM can help remove extraneous and legacy firewall rules.

7. Continuous network security risk analysis and vulnerability assessment

With the occurrence of multiple security vulnerabilities and security incidents, business executives and network security operations teams are constantly looking for risk-based ways to view their infrastructure and applications. With the emergence of a variety of technologies and multiple vulnerability scanners, the work of risk analysis and correlation becomes more challenging.

The NSPM tool provides risk-based analysis, which also includes integration with third-party vulnerability analysis scanners. Features such as real-time network vulnerability management and a centralized risk-based dashboard view can help businesses keep abreast of the risks in their networks. A powerful feature of this product is the impact analysis based on asset vulnerability before approving and disapproving any changes.

8. Application connection management

Applications and their availability are critical to many application-centric businesses. Application availability is critical to the business continuity of such enterprises. The NSPM tool addresses this use case by providing application discovery and connectivity capabilities.

These tools also provide application auto-discovery capabilities to detect applications used in the enterprise. They provide real-time application connection details while maintaining the connection diagram. Different business owners can generate application-based change management requests, and network security operations teams can implement changes while conducting an impact assessment of application connectivity and compliance requirements. Application connectivity mapping also helps web security operations teams migrate applications across data centers and cloud platforms by performing an impact analysis of application connectivity, thereby avoiding unexpected downtime (see figure 6). It also helps to identify unused applications so that they can be safely deactivated from the network.

Figure 6. Application connection mapping

Source: AlgoSec

DevOps

Slow review and approval of application-driven security device policy changes is a major challenge for the DevOps team to achieve maximum speed. These processes can add a few weeks to the release cycle, while some senior DevOps teams have a target cycle time of less than an hour.

Some NSPM vendors support DevOps use cases by automating security assessment and execution. This allows the development team and the security team to collaborate and automate security issues as part of the build pipeline. Vendors can provide native integration with build tools such as Jenkins or development automation solutions such as Chef or Ansible. Support from third-party DevOps tool chain vendors varies from NSPM solution to NSPM solution, but the API integration provided by NSPM vendors is usually available to DevOps teams. Security and DevOps teams need to carefully evaluate the automation of traditional security controls in application development, rather than the implementation of local cloud security tools, such as the Cloud workload Protection platform (CWPP) and cloud security policy management solutions.

Adoption rate

Third-party network security policy management is a rapidly developing market. Multi-vendor firewall rule management is very mature in these tools. Now, with the increase in cloud applications, these tools are enhancing their ability to provide visibility and management support for cloud platforms, which will further drive growth. In addition to network security policy management, maintaining security policies based on compliance and audit-based reports is also the main use case for using these tools. Gartner also sees network vulnerability assessment and risk analysis as emerging use cases for the adoption of these tools. The main driving factors are different.

Risk

It is expensive to add NSPM tools to the solution portfolio of smaller security organizations.

Because these tools interact with multi-vendor devices and environments, including firewalls, routers, switches, and private and public clouds, enterprises often face implementation and initial management issues if these tools are not implemented correctly.

Enterprises are often unable to properly evaluate these products before they are introduced to the market, and will eventually face the problem of integration with existing network security devices and change management tools.

These tools are extending their support for visibility and control to hybrid environments, but support for private and public clouds is only extended to a limited number of providers with limited capabilities.

In the absence of a clear security policy management implementation goal, the head of network security operations may overpurchase platform modules that do not immediately benefit their organization. as a result, some modules are dormant when the organization pays for support.

In contrast, the head of network security operations who purchased these solutions often underestimated the scope of their expected use cases, so the capacity purchased was not large enough. Some Gartner customers have multiple NSPM tools within themselves, most of which are used in limited ways and are likely to become shelved software.

Vendors in this area are usually very good at supporting operational use cases (for example, firewall policy management) or risk and vulnerability management use cases, but cannot support both use cases. This is disappointing for buyers who want to have a range of features. The absence of a proof of concept (POC) at the time of purchase can lead to unmet expectations and incomplete integration with many network security products.

Vendors provide limited support for Linux containers in both public and private clouds, such as internal deployment of products such as Amazon Elastic Container Service (ECS), Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and Azure Kubernetes Service (AKS), Google Kubernetes Engine, and Red Hat OpenShift.

Many of the features of these tools overlap with other network operation (NetOps) tools, such as network configuration and change management (NCCM) tools and firewall management tools. NetOps teams in the same organization may use tools with basic security capabilities that may not be known to SecOps teams, resulting in the purchase of repetitive tools that provide similar functionality.

Alternatives to network security policy management

Most existing security vendors are expanding their support for mixed environments. These vendors include firewalls, intrusion detection and prevention systems (IDPS), vulnerability scanning, SIEM, endpoint security, and more. If customers have basic requirements for compliance, rule management, and threat visibility, they are advised to contact an existing solution provider. For example, most firewall vendors provide centralized managers to manage multiple firewalls. Although centralized managers do not provide all the functionality mentioned earlier in the key use cases and definitions sections, they do provide centralized firewall rule management.

There are some examples of alternative vendors that provide some functionality and meet some of the use cases mentioned in the key use cases section:

Firewall vendor:

Check Point Software Technologies CloudGuard Dome9

Cisco Stealthwatch Cloud and Cisco Tetration

Fortinet Security Fabric

Juniper Networks Junos Space Security Director

Palo Alto Networks RedLock

Manage security processing management vendors for the local cloud:

CloudCheckr

Cloudvisory

Network Automation provider:

AppViewX

Nuage Networks from Nokia

Red Hat Ansible

Multiple cloud risk and vulnerability management vendors:

AlienVault

RedSeal

Tenable

Micro-segmentation vendor based on primary server:

Alcide

Guardicore

Illumio

Suggestion

Security and risk management leaders responsible for network security operations:

Major and initial use cases will be identified as the main requirements before being shortlisted. Read the benefits and use section to determine the use case that best defines your requirements.

If the primary goal is firewall policy management across private and hybrid networks, evaluate the capabilities of existing centralized firewall manager vendors, as they are also developing support for public clouds such as AWS and Azure.

Identify adjacent use cases and talk to the appropriate business leaders who can collaborate and evaluate these tools.

Avoid finalizing the purchase of any NSPM tools without proper evaluation of major and adjacent use cases. Evaluation factors must include support for current firmware versions of different network security products.

Prepare a list of devices and tools in use in your environment based on your use case to check the integration capabilities provided by the NSPM vendor. This list should go beyond firewalls and routers, including vulnerability scanners, SOAR, ITSM, and DevOps tools.

If they are part of your current or future use case, evaluate support for a hybrid network of private and public clouds, as this support is an evolving feature and the capabilities supported by NSPM vendors are limited.

Use the professional execution services provided by these suppliers to achieve stable implementation. Ensure that administrators and business executives are fully trained in this tool to make the best use of all its features.

Verify that network security control is a bottleneck in the automatic continuous integration / continuous delivery (CI/CD) pipeline when enabling DevOps by evaluating the NSPM solution. If this is not the case, do not emphasize these abilities. If security is the primary bottleneck, the security team needs to work closely with the DevOps team to understand the security requirements of the application and to determine whether NSPM tools can help remove this limitation.

If you are a cost-conscious or small security team, you may find NSPM tools expensive by reducing existing vendors rather than adding another vendor to an already complex security portfolio.

The above is an example analysis of network security policy management technology NSPM. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.