Caught in the Middle? Minimising Network Migration Risks

Written by

Firms are increasingly falling foul of security holes and downtime as they struggle to shift applications onto the cloud and other modern platforms. Reuven Harrison, CTO of Tufin, believes careful network planning and security policy orchestration can ease their pains

Businesses seeking to migrate systems to more flexible, modern platforms, or consolidate data centers following mergers and acquisitions, often face an uphill struggle.

A key reason is that today’s heterogeneous networks are extraordinarily complex.  It’s very difficult to gain the necessary understanding of how all the different elements across the various layers of your IT infrastructure interact with one another. When moving a workload between, say, physical and cloud-based parts of the data center, you not only have to enable the right connectivity through security controls, but you must also ensure you do so without introducing security risks or falling foul of compliance issues.

As data center migration projects take place, they typically create three main challenges: Keeping business-critical applications running smoothly; minimizing disruption to the business; and ensuring systems are secure and compliant.

Making a change to the network during a migration can have numerous effects across sprawling networks and IT estates – requiring many configuration changes to firewalls, cloud security groups and other security controls. This can be a tough ride for security, network and cloud teams.

While virtualization and software-defined environments promise to ease many of these challenges, they also add to the complexity of the network and require the different teams to adopt the right set of tools and procedures to cope with these activities. To ensure changes don’t open up security holes or cause applications to stop working unexpectedly, it’s crucial IT teams have a thorough understanding of their application connectivity map. Failure to do this increases the risk of unplanned downtime and security breaches.

To further complicate matters, businesses also need to record any changes to meet the stipulations of compliance regimes like PCI which require enterprises to keep details of configuration changes to firewalls and security controls. Yet many rely on spreadsheets to keep records, so IT teams often spend time manually trying to work out what changes they made during migrations in time for the next audit. The result is an audit trail that’s incomplete – not to mention very stressed network and security teams in the run-up to an audit.

“It’s crucial IT teams have a thorough understanding of their application connectivity map”

Adopting the right tools is essential. Among today’s security buzzwords, orchestration looms large. Many vendors (including the likes of CheckPoint, VMWare and Cisco) extol its virtues: enabling different security tools to talk to one another without manual intervention. However, their focus is purely on orchestrating the various systems that detect and prevent malware and intrusions – those designed to prevent data loss, identify potential threats and so on. What’s been missing is the higher-level orchestration that allows a business to monitor, control and automate the implementation of an organization-wide security policy across the entirety of its systems and networks.

The answer here is network security policy orchestration tools. These provide a holistic view of the entire heterogeneous environment through a single ‘pane of glass’, greatly easing security change design, implementation and tracking for audit purposes. Trying to identify and manage all the necessary configuration changes manually simply isn’t feasible, and often results in people making mistakes or cutting corners in order to get things up and running quickly to keep the business happy. But with security policy orchestration, network security teams not only have a way to monitor and control changes centrally, but can also automate all the necessary configuration changes in line with a company’s individual security and compliance policies.

Tools alone are not a universal remedy, of course, but when combined with the effective planning outlined above, businesses can be far more confident of avoiding being stuck in the middle of migration headaches.

About the Author

Reuven Harrison is CTO and Co-Founder of Tufin. He led all development efforts during the company’s initial fast-paced growth period, and is focused on Tufin’s product leadership. Reuven is responsible for the company’s future vision, product innovation and market strategy.

What’s hot on Infosecurity Magazine?