Applying Automation to Rule Recertification

This guest blog was contributed by Ruvi Kitov, CEO and co-founder, Tufin


Reviewing firewall rules and ensuring they’re still accurate, still needed, still effective and not in conflict with any other rules is critically important to secure your organization. Rule recertification - and related security policy reviews - should take place - at a bare minimum - each and every year, on a schedule, but the reality of the situation is that’s not often the reality many companies are dealing with.



As more and more aspects of your organization’s security become automated, there are some benefits to automating this annual review as well - but it needs to be set up and managed correctly in order to work properly both for the present - and the future.



Another Tedious Task


Historically, firewall rule review and re-certification has been a manual, time-consuming, often thankless task. To manually review rules correctly, you’d need to coordinate knowledge, capabilities, access and permissions across multiple teams, including those responsible for provisioning and managing rules, those that manage security and those who understand if the rules are needed and have the ability to provide approval.

With this in mind, there are a few challenges that must be addressed as a part of the rule review process:

  • Visibility: It is critical to understand which rules and policies need to be updated and retained, and which ones can be disabled or removed. You have to be sure of what effect removing a rule will have on the rest of your environment. Will removing or decertifying a rule then break a valid connection needed for an application or a service? What’s the business justification for a particular rule? Have some rules become fully shadowed, redundant or simply unused? You need to see the whole picture to be sure there are no unintended consequences to the changes being made.

  • Responsibility: Far too much time is spent trying to determine who is responsible for a particular rule. Oftentimes, the creator/owner is unknown, or has moved on to another division, or left the company altogether. Network admins can also waste time trying to determine who to assign a rule review to, as the rule could be associated with several owners, and no one wants to claim (or relinquish) ultimate authority. This can be particularly difficult when it comes to the cloud as management of security policies may be owned by a different group or department completely.

  • Lifecycle: What should the proper lifecycle of a firewall rule? Does it need an expiration date? Rules should be reviewed on a scheduled basis, and either retained due to business or compliance requirements, or removed as access is no longer needed. When a rule’s lifecycle is orchestrated from creation to removal, you can rest easy that access policies are only in place for as long as needed. To do this properly, you need to work with the rule owner to determine the duration needed for access.


It’s easy to see why rule recertification has often been moved to the bottom of the to-do list, and sometimes passed over for the sake of time and other priorities. But putting off rule recertification goes against the least privilege principle of security, which says you should only allow access that is needed by the business, and compliant with your policy.


Easing the Burden with Automation


Rule review and recertification not only requires a massive amount of coordination, but without an official process in place - there is the possibility of blind spots rearing their ugly heads. A manual process with ambiguity in rule ownership almost guarantees it.


That’s why automating the rule review and recertification process makes sense.


With automation, network administrators can easily map business owners to rules and orchestrate the rule review process across the organization, effectively eliminating many of the manual steps usually required for such a complex process. That said, there are several key functions you will want to be sure are a part of your security automation system in order to be successful:


  • A configurable model for rule review - With a configurable model, parameters can be set as needed for certification, including pre-scheduled notifications about expired rules, how many days in advance you would like to send notification to rule owners, how long the renewal process should take, if the decertification process should be implemented automatically or not, and more.

  • Ability to identify inactive owners for reassignment - Automation can help solve one of the biggest headaches of the entire process - determining which rules no longer have active owners, and need to be reassigned. It can also help suggest who the new owners should be based on preset logic.

  • Orchestrates certification across rule owners - Automation can guide the orchestrated review of rules by automatically assigning an owner or multiple owners to rules, initiating and implementing an automated process for certification and decertification, monitoring progress, setting alerts, and complying with multiple regulation and security mandates.

  • Automates recertification, rule changes, and documentation - Certification requests can be automatically routed to the rule’s owner for recertification or decertification action, eliminating the need to manually track down owners and push them for approval.

  • Maintains a consistent audit trail of certifications - Reporting and documentation are critically important to prove ownership and compliance, and to enable continuous improvement of your process. A recertification dashboard can be automatically created to help a network owner track and measure progress.


In addition, by automating the entire rule review process, you can schedule needed reviews at regular intervals, in accordance with best practices and to meet any compliance mandates. For example, PCI-DSS and ECB/PSDII require rule recertification every six months.


A Stronger, Safer Process


There are several issues that can arise if rule review and recertification is left to manual processes or skipped altogether. When there are gaps in rule ownership, or rules left active years after they should have been decertified, you open your organization up to security breaches or operational issues. Either of these could have a critically damaging effect on your business.


Embracing automation can help your organization reduce the likelihood of breaches, while ensuring regulated environments allow only certified access while maintaining compliance and avoiding fines. Gaps in rule ownership can be easily solved instead of forcing a lengthy, manual process of determining who is responsible for approving a change or decertification.


Automating the entire rule review process can eliminate yet another repetitive, mundane task from your team’s to-do list, giving them time to work on more important tasks and ensuring that a thankless, often skipped responsibility does not end up causing irreparable damage.


###