Tips for Secure Decommissioning of Business Applications

Prof Wool: Managing Business Application Connectivity | Tips for Secure Decommissioning of Business Applications Subscribe

Managing Business Application Connectivity: Lesson 4

In this lesson, Professor Wool examines the challenges of decommissioning business applications and offers recommendations for improving security without impacting network operations by removing firewall rules that are no longer in use.

View transcript

hello and welcome to Pharma management 201 I'm professor wool and today we'll be examining the challenges of decommissioning business applications without causing outages so what do I mean well imagine an open organization that has tens or hundreds of different business applications and let's focus on two of these applications a bill pay application and an online banking application so the communication patterns of these applications as seen by application owners are that the bill pay system requires communication between the users in the bill pay server and also between the bill pay server and the database so these two blue lines and the Excel spreadsheet maintained by the application owners and the online banking system requires access from the users to the online banking server and maybe it has some additional back-end that needs to be communicating behind the scenes so this is the viewpoint from the application owners if we look at what happens at the network security team they need to write policy in the firewall that allows all of these communication patterns to cross the firewall security now what they notice is that the bill base server and the online banking server are both on the same network segments and they have IP addresses that are related and so it is very natural to define something called an application zone and use that definition of an application zone to make the security policy more compact so you might have the network security key might write a rule 517 allowing traffic from the bill paste server to the database basically supporting this blue connectivity requirement this would be rule 517 and they would write another rule rule 518 allowing traffic from the user area to the whole application zone and then through a single rule they would be supporting the clinic 50 needs of multiple applications in this case both of you on the orange applications sharing the same rule this is very common practice for network security teams because it makes the final policy more compact and easier to manage and more efficient so this is all well and good but now imagine a situation where the application owners decide to replace the old bill pay system with a new one so they would provision a new server install the new software on a tested evaluated and at some point when they realize that the new system is better than the old and is functioning properly they can declare its production and turn off the old bill based system when they do that then we typically notify the network security team telling them that the old bill payer application and the old bill penny traffic patterns are no longer necessary and letting the network security team retire the unnecessary rules when that happens the network security team faces a damned if you do damned if you don't situation they could either decide to retire the unnecessary firewall rules or to leave them in place both choices are not very appetizing if they decide to retire the rules they need to do so very carefully because if they just blindly decide to remove both of these rules that can have very unpleasant side effects because remember rule 518 is actually shared across multiple applications and if you remove rule 518 allowing traffic to the whole application zone as a side-effect you are also breaking the traffic patterns that are required by the online banking application that's still functioning and you create a network outage which is very very serious so if you choose not to eliminate those rules you end up in a situation where you have unnecessary rules in the policy that is also not desirable because you have policy cutter you have too many rules you have security openings in the in the policy which exposes the organization to risk and potentially audit failure and you're also increasing the number of policy rules in the firewall and you're hurting the performance of the firewall so neither choice is very appealing what can the network security team do to mitigate well if they choose to take the second approach which is leaving the rules in the policy and not retire them immediately when the application is decommissioned what they can do is instrument usage tracking on these rules and basically log their usage patterns and if they do that and let the log in infrastructure run for long enough they would realize that rule 517 is really unused it will see no traffic hits however rule 518 will be acted with they will see that it's allowing traffic and when that happens after the system runs with the logging instrumentation enabled they will be able to realize that it's not a good idea to disable rule 518 completely because it's still necessary for the orange online banking application but it's still safe to remove room 517 and that one can be retired and they could also go one step further and look further into the details of this usage and their systems that let you do that and they could look into what usage pattern rule 518 is actually demonstrating and looking carefully into the traffic patterns they would be able to realize in retrospect that rule 518 is now - why then it can be tightenings to something more secure that will only traffic to the servers that are still in production and like the online banking system but there's no longer a need to allow traffic towards the Bill Pay system which has been decommissioned however it would have been much better if there was a mechanism that could reconcile the information available to the information on the application owners and to the network security team so that they could decommission the application rules just those application rules that are safe to retire early on and as the field of firewall policy management evolves I envision that such systems will become available such that when the application owners the Commission and application and inform the network security team through this new system the network security team will realize immediately that rule 5:17 is safe to be eliminated immediately but who 518 needs to remain in the policy or and potentially reduced to its Tiger form without breaking the communication patterns of the orange application that is still active just something to bear in mind when you're dealing with application decommissioning in your organization thank you for your attention

Videos

Prof Wool: Managing Business Application Connectivity | Tips for Secure Decommissioning of Business Applications Subscribe

Related videos

The Benefits of Mapping Firewall Rules to Business...

Lesson 7: How to Prepare for Network Segmentation by...

The Different Data Sources for Application Connectivity...

How to Automatically Identify Business Application...