Opens a new window
Manual management of network security policies, rules, and configurations is time-consuming and error-prone, which adds operational cost and increases security-related risks—especially as your IT infrastructure grows more complex. Aberdeen’s analysis quantifies the value of a policy management solution, in both dimensions.
How Your Network Security Policies Are Managed Affects Both Operational Cost and Security-Related Risk
Your organization’s network firewall infrastructure is probably not viewed as the shiniest new tool in its cybersecurity toolbox. Important, yes, but perhaps somewhat taken for granted —after all, it’s been roughly 30 years since the first commercial network firewalls were introduced. For this reason, it may not be well understood that how your network security policies are managed significantly affects both your operational cost and your security-related risk.
To illustrate this point: In an analysis of more than 13,000 network firewall installations, Aberdeen discovered a surprising degree of complexity. Nearly half (46%) of all enterprises in this market snapshot are characterized by multiple sites and / or multiple firewall vendors. In turn, each of these has numerous security policies, rules, and configurations that must be established, implemented, and maintained over time. This complexity can have serious consequences, including:
-
- Network security policies and rules may be conflicting, out of date, redundant, or the result of ad hoc decisions that bypassed the normal approval process.Â
-
- Policy configurations may be incorrect or out of date, whether from unapplied patches and updates or from routine human error.
Adding to the above is the complexity of evolving deployment models for an organization’s business-critical application workloads. Over the past few years, these workloads are increasingly executed on the computing infrastructure that best addresses the organization’s current requirements for performance, reliability, cost, geographic location, trust level, security, and compliance. On the plus side, these trends have led to tremendous.
Agility for the business —but also to a complex, hybrid mix of enterprise-managed infrastructure(i.e., on-premises) and cloud service providers
If network security policies are managed manually (or with multiple, inconsistent tools), the complexity of multiple sites, vendors, devices, policies, rules, configurations, and application deployment models has a ripple effect on both operational cost and security-related risk:
- Operational cost: Increased complexity corresponds to a non-linear increase in the operational cost of managing network security policies, rules, and configurations throughout the enterprise, based on the longer time it takes to review, check, approve, implement, test, and validate these adds or changes. Simply put, complexity requires more time and more technical staff.
- Security-related risks: In turn, greater complexity contributes to an increased likelihood of inconsistencies, errors, and omissions in these management tasks —which increases the number of threats and vulnerabilities that are relevant to the organization’s network infrastructure and network-dependent resources. Simply put, complexity increases the likelihood that these vulnerabilities may be successfully exploited, along with the corresponding business impact.
In this context, automation of the workflows for network security configuration changes and policy updates is increasingly essential —and is designed to provide a high level of assurance that these important tasks are accurately and consistently carried out. In addition, leading security policy management solutions to provide continuous, real-time visibility into the actual policies, rules, and configurations that are currently in place throughout your network security infrastructure, and ensure the necessary integration with a wide range of network firewall products and application deployment models.
Quantifying the Cost and Security-Related Risk of Managing Your Network Security Policies Manually
To quantify the operational cost and security-related risk of managing network security policies manually (or with multiple, inconsistent tools), Aberdeen has developed a straightforward Monte Carlo model using the standard functionality of Microsoft Excel. Personalization of various contextual factors is also enabled, by supporting the selection of:
-
- The number of sites with firewall installations (across the entire enterprise)
- The number of firewall vendors (across all sites)
- The total number of firewalls
- The amount of annual revenue supported by the network
- The number of users supported by the network
The model makes use of Aberdeen’s estimates for the range (i.e., lower bound, upper bound) and shape for each of the following high-level factors of operational cost and security-relate risk:
- The operational cost of managing network security policies is based on estimates for the number of changes to policies, rules, and configurations throughout the enterprise; the time it takes to review, check, approve, implement, test, and validate these adds or changes; and the fully-loaded cost of operational staff.
- The security-related risk of managing network security policies is based on estimates for the time the network is negatively affected by security-related issues (e.g., slowdown or downtime); the amount of annual revenue supported by the network, and the fraction of network-supported revenue lost during the period of slowdown or downtime; the number of users supported by the network, the fraction of user productivity lost during the period of slowdown or downtime, and the fully-loaded cost per user. This analysis also establishes a baseline for quantifying the value of an incremental investment in a security policy management solution (this case is provided in the next section).
Opens a new window
Aberdeen Strategy & ResearchOpens a new window , a division of Spiceworks Ziff DavisOpens a new window , with over three decades of experience in independent, credible market research, helps illuminate market realities and inform business strategies. Our fact-based, unbiased, and outcome-centric research approach provides insights on technology, customer management, and business operations, to inspire critical thinking, and ignite data-driven business actions.