And while IT organizations want to know what their risks are from the business perspective, most network vulnerability management systems do not offer that view.
“Critical business applications fuel today’s data centers, but security teams lack visibility on how security activities impact the business,” said Nimmy Reichenberg, vice president of marketing and business development at AlgoSec, which released the findings as part of its “Examining the Impact of Security Management on the Business” report.
Reichenberg added, “As a result, provisioning connectivity for data center applications is time-consuming, severely hampering business agility and increasing the risk of business disruptions and security breaches caused by errors in firewall configuration… and as our study shows, these challenges are magnified when migrating applications or entire data centers to the cloud.”
Also, whether it’s connectivity changes, outdated software, device misconfigurations or other factors, the vulnerabilities associated with business applications abound. Given the choice, nearly half of respondents in the survey (48%) want to view risk by business application; 30% want to see their exposure by network segment and 22% by server or device. With this type of visibility, security teams can more effectively communicate with business owners and enable them to “own the risk,” the report found.
But right now, most don’t have that capability. And as a result, the study found that cloud migration does not necessarily save labor time. For instance, firewall audits require increased man-hours – 74% of respondents said they spend more than one man-week on firewall audits per year and more than 46% spend more than two man-weeks per year on it, taking resources and time away from more strategic and valuable efforts of the business.
Also, half of the respondents said that they require more than five weeks to deploy a new data center application, while 25% require more than 11 weeks. That becomes significant when one considers the volume of cloud usage. More than 32% of respondents reported having more than 100 critical business applications in their data center, and 19% said they had more than 200 critical applications.
There are also “fast and furious application connectivity updates,” AlgoSec found, but they’re processed slowly. Nearly half of organizations (45%) have to manage more than 11 business application connectivity change requests every week, and 21% must manage more than 20 changes per week. That’s potentially a productivity-killing situation: 59% say it takes more than eight hours to process each application connectivity change request, with 31% saying it takes more than one business day per change.
Despite the significant amount of time spent managing changes, the majority of IT professionals (53%) reported that they have limited visibility into the impact that network security changes have on critical business applications. One in six noted that they have poor or very poor visibility, and another 37% characterized their visibility as only fair.
Further, it turns out that decommissioning data center applications is painful and even risky. When decommissioning applications in their data centers, 59% of respondents said they have to manually identify which firewall rules to change, while 15% leave the unnecessary access rules in place, creating security risks.
The lesson learned here is that businesses need to start prioritizing network vulnerabilities by business application, AlgoSec concluded, in order to introduce more streamlined risk management processes. “The current approach to managing security policies and devices is not in alignment with what the business requires,” reads the report. “In order to improve both security and agility, security professionals must have the visibility to understand the impact of policies on business applications and then be able to communicate with business owners. The rapid growth of critical applications in data centers creates significant challenges as the length of time required to deploy new applications and/or update existing ones impacts the organizational agility and productivity those applications are presumably designed to enhance.”