Enterprise application connectivity needs are creating a significant new risk vector for businesses, according to new research from security policy vendor Tufin Technologies.
One business end user describes the issue: “While we had to ensure that our security policy was implemented without compromise, applications were, and still are, the lifeblood of our organization,” said Christoph Littwin, head of telecommunications at SIX Group (a Tufin customer). “Our firewall team was continuously being challenged by the ever-increasing risk of attacks and they needed advanced tools to detect and mitigate the risks.”
However, Tufin found that few businesses actually have effective processes and tools in place to account for this shift, and almost one fifth don’t have any processes in place for managing enterprise application connectivity-related firewall data at all.
The issue starts with the sheer volume of applications found in a typical business. In its survey of 140 network security professionals, Tufin found that 55% of respondents have more than 50 mission-critical enterprise applications deployed across their organization; about one third have more than 100. The volume is steadily increasing as well: 41% deploy at least one new application each week and 31% do so each month; 71% on-board at least one new user to an existing application each week.
Unsurprisingly, almost 90% say that more than 50% of their organizations' firewall changes are application-related. The survey also demonstrates that businesses are largely not prepared for the management – and therefore security – ramifications of that reality.
Too much management overhead drives security risks if an IT department can't keep up. Yet, 60% of respondents said that they manage connectivity requirements across three or more network security consoles – a swivel-chair process that contributes to the likelihood of human error. About 37% keep track of application connectivity requirements by inserting comments into the firewall rule base, subjecting the organization to procedural inefficiencies. But worst of all, 16% don’t keep track of application connectivity requirements at all. A full 64% said that they experience application service disruptions due to network configuration changes, as often as 10 times per year.
The result of all of this? Application owners, after defining the applications’ connectivity requirements, are left with limited visibility, the survey found. The firewall policy is now defined by the application connectivity policy, creating a bottom-up rather than top-down approach.
To boot, 54% may have opened ports not required for applications, exposing the organization to potential compliance violations and security breaches. A full one-third actually said that they believe their organization may have had a security breach due to an application-related rule change, and 54% lack confidence that their security team’s processes fully address the related compliance and security exposure.
“This survey supports our belief that application connectivity management is the next frontier of firewall management,” said Ruvi Kitov, CEO and co-founder at Tufin.