This article was originally published in Professional Security Magazine Online.
The technology behind network security is evolving all the time, with years of enhancements and continuous intelligence added to security technologies such as firewalls. All this is designed to improve processes and minimize the risk of human error impacting businesses. However, there is one element that limits the effectiveness of the security in any business – the IT manager.
A recent firewall survey indicated that 80 percent of companies do not know what all of their firewall rules do. I suggest this is because IT or security managers just cannot easily work with the added complexity of today’s technology. Where there is a human involved, there is room for human error. This is not a reflection of the intelligence or expertise of IT managers – they are limited by the capabilities of the human brain.
The complexity of firewalls lies in the number of rules and correlation between rulesets. There is a limit to the amount of information that the human brain can digest at once. This means that when an IT manager looks at the management console on his/her computer screen, he or she can only process around 25 rows of rules, when some companies have around 500 rows of rules that are in use at any given time. We can all relate to this, as everyone has experienced an information overload at one time or another, but something needs to be done to stop this affecting business.
Security rules and profile rulesets are common in organisations to keep their staff and IT systems safe, both now and in the future. As you can imagine, the higher number of firewall rules a company has, the higher the chance of mis-configuration due to human error. This is because it is extremely difficult for the IT manager running the firewall to keep a clear overview of the organisation’s security or easily notice conflicting rulesets. It is unsurprising that over 55 percent of companies have had a security gap because of a mis-configured firewall rule, with half of those cases resulting in system downtime.
500 rules and growing
Even if the current rules are working and providing high security levels, there is no guarantee that it will continue to stay this way in the future. However, restricting the number of rulesets is not the way forward. Market dynamics and business requirements change continuously, so there is no way to hold back on adding and changing security rules and settings. Therefore, it is very likely that the number of rules that an IT manager has to contend with will continue to grow.
The industry needs to step up and come up with an answer to this mismatch between human brain capabilities and the amount of information that technology is providing. For example, when someone studies for a test, they are unable to absorb all the information in a textbook. The solution, for most people, is to take notes, condensing the most important information down into a few key points so the brain can easily absorb it. This is what security technology needs to do for it’s users.
Developing new security technology has always been a high priority for the industry, but the protection that this technology can offer is limited if they are vulnerable to human error. Ease of use needs to be as a high a priority as innovation, in order for organisations to ensure that their technology is working as effectively as it can. The key is a management console that provides a clear overview of the security rules that have been put in place, and flags the conflicting configurations. This will create and maintain an environment that protects and secures businesses in the best possible way.
Connect with Klaus on LinkedIn at http://at.linkedin.com/in/kgheri.