Globalisation is the new normal for most organisations today, but it can present some significant challenges – not least when it comes to managing the firewall estate across these large-scale, distributed networks.
A typical, multinational corporation, headquartered in the US may have offices and data centres in dozens of countries around the globe.
Let’s assume the organisation takes a proactive, structured and logical approach to cybersecurity, and therefore protects each datacenter with firewalls.
Yet all of these firewalls also have to work together cohesively, allowing network traffic to move securely between the international networks and data centres. How do you manage this? There are three vital issues to consider.
Issue one: a matter of time
A core element of firewall management – in any context – is configuration and in particular the change control process – that is, updating firewall rules when application network connectivity is updated or changed.
However, in global networks, with applications in different countries that need to communicate and share information, this gets a little more complicated.
Imagine one common scenario: an organisation has deployed a new application across its global network, so needs to implement firewall policy changes in multiple countries.
While the policy change in itself is easy enough to make, the question becomes – when exactly should it be made?
For many large organisations, policy changes are limited to specific change control windows in order to mitigate the risk of operational downtime for core applications or configuration mistakes.
Firewall policy changes therefore usually take place overnight, or at the weekend – out of high risk hours.
But in a global organisation, operating across multiple time zones, those high risk hours vary from country to country.
What’s more, high traffic periods in the calendar vary too – the run-up to the Christmas holidays will be critical to a retailer in Western Europe and the US, while Chinese New Year will impact on retailers in Asia.
So businesses have a choice. They can set a single universal change control window according to when its convenient for the most important location in its network, and hope that the other locations will manage. This is quicker but riskier.
Alternatively, they can set different change control windows in different countries, and somehow coordinate a staggered firewall change process.
This is unlikely to cause security problems part-way through the process, as legitimate traffic will most likely continue to be blocked somewhere along its path until the change has been fully implemented – but clearly this could be a significant operational issue, blocking different sites from communicating with each other.
This change management process requires careful coordination between an organisation’s network operations and application delivery teams.
Ultimately, there is no simple answer to this challenge. A business needs to weigh up the risks and benefits of the two approaches, and choose the most appropriate path for the organisation.
Issue two: staying within the law
Another aspect of running multiple data centres in multiple countries is the question of multiple jurisdictions.
Different nations have different laws governing the location and movement of information; Switzerland, for example, requires Swiss banking information to remain inside Switzerland, while the Australian government does not allow government or federal information to leave the country.
These laws have significant technical implications for how international enterprises organise their data centres, whether on premise or in the cloud.
Information must be segmented, siloed and protected with firewalls according to local jurisdictions, and the IT team will normally be required to manage this.
Technically all the necessary segmentation can be achieved remotely or even outsourced to a service provider, but it still carries a significant organisational burden – especially for organisations migrating to cloud infrastructures, as they may be nervous about the legislative compliance implications.
We may see this in action if the Bangladesh Bank decides to press charges following the recent $81m heist via the SWIFT wire transfer network.
Which police force will they go to? Can INTERPOL help? Even if they manage to identify the criminals, who is going to arrest them, or request extradition?
There are, as yet, no easy answers to these issues.
Ultimately organisations need to take responsibility for understanding all of the data protection laws and regulations that apply in every country where you store and transmit data – and they need to translate compliance with those regulations into proper technical, legal and compliance related actions for its IT security strategy and business.
Issue three: who else is connected?
The picture gets more complex still when businesses grant external organisations access to their networks.
At this point, it is important to note that they become part of the organisations’ information security and regulatory compliance posture.
Minimising the risk of such external connectivity depends on implementing careful network segmentations well as using additional controls such as web application firewalls, data leak prevention and intrusion detection.
Furthermore at some point in time businesses will have to make changes to their external connections, either due to planned maintenance work by its IT team or the peer’s IT team, or as a result of unplanned outages.
Dealing with changes that affect external connections is more complicated than internal maintenance, as it will probably require coordinating with people outside the organisation and tweaking existing workflows, while adhering to any contractual or SLA obligations.
As part of this process, organisations need to ensure that their information systems allow its IT team to recognise external connections and provide access to the relevant technical information in the contract, while supporting the amended workflows.
Finally organisations should also ensure that they have a contract in place with third party organisations to cover all technical, business and legal aspects of the external connection.
When managing global network infrastructures, it is more important than ever to have full, real-time visibility and control of exactly how firewalls are controlling network traffic across the globe, both to maximise security and compliance, and minimise downtime.
Sourced by Professor Avashai Wool, CTO at Alogsec