Three years ago I bought a house in the south of Italy and since then I have been trying to immerse myself in the local culture. It recently occurred to me that there was a great deal of similarity between the nuances and national characteristics of Italy and the challenges faced by security professionals today.

A Love of Spaghetti
A rule base that has evolved over several years with several vendors' products and many different security administrators will certainly resemble the characteristics of spaghetti. When you start pulling on one end you never know what the consequences are.

Even in the south of Italy companies nowadays need to improve the efficiency of their firewall operation and make what they have go faster and further as budgets for hardware or software upgrades are under close scrutiny. The ability to understand which rules are most frequently used enable the security professional to improve performance by ensuring a close match between rule ranking and rule usage. This is even more apparent when unused rules and shadowed rules can be clearly identified. These classes of rules only add complexity, degrade performance, and increase business continuity risk.

All Road Signs Are Only Suggestions
For all of you who have driven in the south of Italy you will know that all traffic laws, which by the way are still contained in the Italian criminal not the civil code, are merely suggestions to be adhered to or ignored depending on the situation.

Such is often the case when people are writing new or changing existing security rules. We all know that we should include a comment or a clean-up rule but sometimes expediency makes us ignore these good practice guidelines.

The need to meet with a growing number of compliancy requirements - either internal audit reviews, external audit demands such as SOX or Basel II, or from industry-specific requirements such as PCI-DSS - is far more costly if a history of indiscipline has existed.

It is of little use spending money to optimize your firewall infrastructure and enable automatic compliance if you don't stop subsequent non-compliance. The ability to flag non-compliance to the relevant IT/security/compliance/business manager protects your investment, maintains your firewall estate's performance, and ensures ongoing compliance.

Sleeping in the Afternoon
One local habit that I have taken the most easily to is sleeping in the afternoon. The opportunity to wind down and take a nap after a nice lunch is a great way to recharge your batteries. I think that this should be added as a criterion for any new security investment: "Does this investment allow me to take a nap in the afternoon?"

Summary
It is clear to me that companies are looking for ways to remove costs from firewall administration while adding performance. The ever-increasing demands of compliance from all quarters means that the delivery of compliance needs to be automated and assured. To ensure ongoing OPEX reduction and operational efficiency, rule changes going forward need to be assessed against an internal or external best practice standard automatically and violations flagged to the responsible manager.