(Introducing the 5 Laws of Unintended Change Requests)

WHEN FIREWALLS GO WRONG

Chaos theory describes how a relatively small event (like a butterfly flapping its wings) can begin a chain reaction that has a huge final impact (like a hurricane hitting the Caribbean). Now chances are, you don’t have to deal with too many hurricanes. But what if it’s not a flap of a butterfly’s wings but a small change to your firewall – a change which could have an equally huge impact, compromising your business’s entire security?

How can a small change to your firewall lead to major disaster? After all a firewall is a relatively simple thing – it lets some data through while locking other data out. It protects you from certain threats – content related, application related and possibly even viruses and other threats.

CHANGE IS NOT ALWAYS A GOOD THINGYour business is not a static system. As your needs change so will your IT security requirements. You might want to integrate new systems, counter specific threats or make configuration changes to your wider network. However, it’s precisely when you make these changes that things can begin to go wrong.

Sometimes these issues can be minor – your firewall could suddenly block a site that people need to access in order to do their jobs. Sometimes it’s far more serious, like losing all Internet connectivity. Or even worse, exposing you to a major security breach.

The 5 Laws of Unintended Change Requests (and what they mean for your business) 2

PUT THE FIRE OUT BEFORE IT STARTSFortunately a change to your firewall configuration doesn’t have to be an open door to trouble. In this guide we’re going to look at five of the most common reasons why small changes can lead to big problems and give you our key lessons on how to avoid them.

BIG EFFECTS

SMALL CHANGES, SMALL CHANGES,

ROBOTS ARE BAD

The first law is all about process. Say your business needs to make a change to its firewall. Unfortunately when the request is made, it’s implemented in an automatic, robotic way. No thought is given to the wider picture of your network. And the result? Well in our experience these changes fail far, far too often.

DOING VERSUS THINKINGAt a core level there is a big difference between a prescriptive request to connect port X with port Y and a business request that needs to translate into technology.

Prescriptive requests tend to go wrong through simple human error. This can either relate to an incorrect request (port X and port Y were never meant to be connected in the first place) or in the execution (port X was connected to port Z). The result? Suddenly your firewall isn’t doing what it’s supposed to.

Business-level requests, however, tend to go wrong when the right questions aren’t asked. When no one sufficiently understands the wider business implications a change to your firewall may have.

THINKING BEYOND THE FIREWALLTo get things right the people involved need take a more holistic view of your firewall’s place in your wider network and security infrastructure. And they must be able to analyse requests and see how they map onto your technology.

An ill-considered change is a recipe for potentially far-reaching problems – from unscheduled downtime to increased vulnerability. And even when the analysis is correct, it still requires the change being signed off by the right people and executed correctly. Ultimately, it pays for everyone involved to take a more considered approach.

ROBOTS ARE BAD

The 5 Laws of Unintended Change Requests (and what they mean for your business) 3

#1LAW

FOR YOUR BUSINESS

4

UNCONSIDEREDCHANGES =UNFORESEEN PROBLEMS

KEY LESSON #1

WITH INFORMATION SECURITY

DON’T CONFUSECONNECTIVITY DON’T CONFUSECONNECTIVITY

If the first law is about process, the second is about philosophy. It addresses the problem of ‘telecoms thinking’. Telecoms companies tend to treat all security challenges as infrastructure issues. It either works or it doesn’t – ie, the ports are either connected or they’re not.

If only life was so simple. Their answer to your problems? They’ll keep plugging away, hoping to get it right – after all you’re just one of their many clients.

But it’s a huge deal to you. Your business could be damaged and so could your reputation.

THE IMPORTANCE OF THE BIG DATA PICTUREWhat telecoms thinking doesn’t do is understand the wider impact of how data moves around your security infrastructure (and what happens when it doesn’t).

It means telecoms providers rarely think beyond individual infrastructure components.

Their blinkers are on and you need more than that. You need a holistic view of the problem. So if your managed security provider can’t think beyond connectivity, you should start thinking beyond your managed security partner.

#2LAW

The 5 Laws of Unintended Change Requests (and what they mean for your business) 5

6

RIGHT FROM THE START

GET THE RIGHT THINKING,

KEY LESSON #2

SERVICE IS ABOUT PEOPLE,

Time is of the essence. A job ticket gets raised. Hours pass. Most providers promise to respond to (not fix) a problem in 4 hours. After which you may get a call (or not) or things may suddenly start working (or not).

Even when they do get fixed, you’re often left out of the picture about what actually went wrong. And just as suddenly things may stop working again.

“IT’S NOT OUR PROBLEM”Even more frustrating is the response: “We can’t see the problem” leaving you hanging as they suggest you try one of the other vendors in your security jigsaw. Pretty soon no one knows what’s going on, no one is getting back to you and you’re left staring into your coffee contemplating a career change. Sound familiar?

NOT JOB TICKETS

SERVICE IS ABOUT PEOPLE,

So, disaster’s struck. There is something wrong with your firewall and it’s having major implications for your business. The pressure is on and you’re on the phone (on hold) as you wait for an engineer to get on the case.

THERE HAS TO BE A BETTER WAYWhat you need is someone who looks at the whole picture. Someone who knows firewalls are often the canary in the coalmine – the first thing to highlight something’s wrong, like a switch being offline. Someone who understands the implications of this and how it could lead to a possible hurricane of bad things like lost revenue and a damaged reputation.

THE RIGHT PARTNER MEANS THE RIGHT RESPONSEA core part of any managed security service should involve an early warning system, whether the problem is with the kit your provider manages or the kit that’s attached to it. Of course to do this, the provider needs to understand the context of your firewall within your overall business. For example

The 5 Laws of Unintended Change Requests (and what they mean for your business) 7

#3LAW

we regularly alert our customers when we see some of their equipment beginning to drop packets – because with early warning and early intervention a small problem needn’t develop into a major crisis. Works for us. Works for them.

Your support engineers should also be fully briefed on your network in advance of any issue (not flicking through your manual as you speak frantically to them in a crisis). They need to be absolutely focused on sorting your problems out with a direct line to the people at the vendors who matter. Simply, they need to care (that’s not too much to ask is it?).

8

DO YOU KNOW YOUR SUPPORT ENGINEERS BY NAME? YOU SHOULD

KEY LESSON #3

SPEEDYOU NEEDYOU NEEDA fast response should be obvious when things go wrong and need to be fixed quickly. You need to be able to get through to the right person, the one who can make a difference, immediately.

In this scenario a 5-day change request window is of no use to anyone. And while your fix may take just minutes, waiting 4 hours just for a response from your security vendor is simply unacceptable.

At the very least, you need to be able to roll back to a stable, secure state and do it fast.

THE SLIPPERY SLOPE OF SUPPORTFor many telecoms companies, support is an expense. They’d rather you not call them (the irony) so their websites are designed to fob you off, sliding you from FAQs to web portals to anywhere but the phone and direct human contact.

The cost to you of this delay in terms of security vulnerabilities and lost productivity across your organisation can be huge. And if you’re not a top 10 customer, chances are you won’t get the attention you need, even though for you all infrastructure is critical infrastructure. GET REAL SUPPORT NOT REAL EXCUSESToday, a rapid professional response to any firewall issue is fundamental to your business success. You can’t afford to wait. This is why we’ll typically have someone logged on to a customer’s system, beginning to deal with any issue in around 10 minutes.

#4LAW

The 5 Laws of Unintended Change Requests (and what they mean for your business) 9

10

EVERY SECOND COUNTS

WHEN THINGS GO WRONG,

KEY LESSON #4

BALANCES MATTER

ON BALANCE, CHECKS AND ON BALANCE, CHECKS AND

Anyone with the right credentials can make a firewall change. It’s another thing to ensure it’s done right and another thing entirely to clearly show an auditor it was done in the right way. If you’ve only got one person managing your firewalls, how do you know they are making the right changes in the right way?

TWO HEADS ARE BETTER THAN ONEIt’s always better to have dual control. The person requesting the change should not be the person implementing it. That way no wires get crossed (literally or metaphorically). In fact, if you’re in a particularly risk-focused industry you may want multiple people involved in any single change.

Every change should always have formal, documented approval and you should be able to quickly and easily see who asked for what, why they asked for it and what happened as a result.

YOU NEED TO LOOK BACK TO GO FORWARDBefore a change is made to your security infrastructure, a back up copy should be made of the existing configuration and stored securely so you can roll back if required. Auditors are likely to demand you are able to de-journal, working back through change requests, auditing the entire process. And you and your security partner should also understand the relevant regulations and standards that apply to your business (eg, ISO 27001, PCI DSS, Sarbanes-Oxley etc). Even regulations that are not specifically IT-focused can have significant repercussions for how you manage your firewalls and other security infrastructure.

The 5 Laws of Unintended Change Requests (and what they mean for your business)

#5LAW

11

WHAT YOU SEE IS WHAT YOU GET (AND SO IT SHOULD BE) A good managed service needs to be highly auditable, you should be able to see who is responsible for every aspect of your firewall security. This should be hard-wired into your agreement with your managed security partner. Watch out for ‘get out of jail free’ clauses in your contracts – a formal audit is no time for unwelcome surprises in the fine print.

THE ANSWERS LIE IN RECORDING THE DETAILS

KEY LESSON #5

12

ON FIREWALL CHANGE REQUESTS

SEEING THE BIGGER PICTURE SEEING THE BIGGER PICTURE

Firewalls are like the brakes on your car. They are there, but you don’t often think about them too much. But that doesn’t mean they are not vital to both your business’s security and your people’s ability to get their work done.

Like your car’s brakes, you’ll tend to assume your firewall is working until it isn’t. And then it becomes an all-consuming issue.

GOING BEYOND THE FIREWALLTo prevent change requests causing chaos in your business, you need to think beyond the firewall.

This means understanding that small changes have the potential to cause significant knock-on effects. It means your managed firewall partner needs to be more than a large (uninvolved) telecoms business.

Your partner must have an in-depth understanding of your security infrastructure before they ok a single change or patch a single cable – even if it’s something you’ve asked them to do. They also need to be able to act super-fast when there is problem.

Finger pointing, endless hold music and wasted time are simply not options.

Because with the right managed security partner you can relax knowing your firewall is in good hands and get on with more important things – like driving your business forward.

The 5 Laws of Unintended Change Requests (and what they mean for your business) 13

THINKING BEYOND THE FIREWALL

ABOUT ACSNABOUT ACSN

Few things in life are certain, especially in IT. One, of course, is change – nothing stands still. Ever. Another? Security matters. A lot. Threats are everywhere, they’re evolving all the time and have the power to totally ruin your day.

The real problem comes when you combine change and security – say, in a change request on one of your firewalls. A change request that’s simply implemented by your managed security provider. One that doesn’t take into account your wider network infrastructure. Pretty soon you can be at the sticky end of a series of unforeseen events that can have an impact across multiple teams and departments. And that’s bad.

Of course, if you partnered with ACSN, this wouldn’t be a problem. Unlike many providers, security is all we do. So with ACSN, you’ll be dealing with a different breed of security expert. You’ll speak to someone who understands your network infrastructure inside out and upside down.

So before they make a change to any individual firewall, they’ll first make sure it won’t have an unforeseen effect on your other systems.

And when you do need help, you’ll get straight through to someone who can start doing something about it right away (not someone in a far-flung call centre who seems dedicated to letting you enjoy the full range of their hold music). In fact, on average, we can have someone logged in and fixing your problem in under 10 minutes.

If it’s time you rethought your managed security, we should talk. Call us on +44 (0) 845 519 2946 or email us at request@acsn.co.uk

14