The Security-Focused Policy Model

When creating network cybersecurity policies, organizations lean in one of two directions. Some, like typical government agencies, are inclined to protect their network, employees and data, seeking to block all external entities from their network and controlling employee access to outbound interactions. They try to follow the Zero Trust model, where they trust no one and verify everyone. For the purposes of this post, we will call this the security-focused policy model.

When creating network cybersecurity policies, organizations lean in one of two directions: security-focused or availability-focused. Is one better than the other?

The Availability-Focused Policy Model

On the flip side of this coin, other organizations seeking to protect their assets focus mainly on their business units and institute an availability-focused policy model. Their business objectives drive the need to keep employees working with minimal IT policy interference. Frequently, employee morale is a factor in this decision, as access to social media and entertainment sites, while they are not (usually) business drivers, allow employees to blow off steam and take a short break, which can increase productivity if they do so during breaks. In this model, security policies are more apt to block only known malicious sites. Administrative overhead can also be a factor in this mindset. When instituting new security products that require reconsideration of policy, instead of reviewing, re-designing, or rethinking policy to be more secure, security organizations often revert to tried-and-true methods that have worked for them in the past as a way to avoid additional administrative overhead.

Instead of reviewing, re-designing, or rethinking policy, security orgs often revert to tried-and-true methods that have worked for them in the past as a way to avoid additional administrative overhead.

The Whys and Wherefores of Implementing Security Products

Most often, organizations place security products into production to conform to an audit or compliance standards and requirements. Other times they implement security products to fill holes in an environment that has already been exposed to a security threat, monitor current threats, and/or minimize the risk of future incidents. Another common policy update option is when one security product is displacing another. In this case, administrators might assume they can mirror their old product’s policies on the new product. In any of these scenarios, administrators don't always implement all of the features of a security product, and as a result, they could be limiting the security protection that the product is capable of providing.

Network Security Policies Matter: Which Model is Better?

Many security clients ask which model is better. As a cybersecurity consultant, I share the pros and cons of implementing each model in my client's individual environment.

I once worked with a payment processing company to build their network security product's policy from the ground up. The company was implementing the product to satisfy security architecture requirements. They already had some maturely-situated edge firewalls, so the company did not intend for the new product to replace the firewalls. However, when I asked what security focuses needed to be considered so that I could advise them on how to build the policy, they told me they wanted to mirror the firewall access policies to avoid discrepancies between access requirements.

While this is a good thought, the products were different in the way they handle network traffic. I explained the policy options the new product could implement and shared my recommendations based on the product’s capabilities to meet the project’s business requirements. In the end, the company opted to mirror the firewall product's policies. This was the better choice for this customer as it met their needs at the time.

My overall recommendation for all organizations is to review their security policies and audit their network security products to ensure that their configured policies match company policies. Beyond that, each model has its pros and cons. Here’s a summary of those pros and cons:

My overall recommendation for all organizations is to review their security policies and audit their network security products to ensure that their configured policies match company policies.

Security-Focused Policy Model

Pros

• Fewer access holes in the network
• Sites justified by the organization can be opened and monitored (if needed)
• Only known approved requests are allowed outbound

Cons

• External web access starts out blocked unless a business reason justifies open access
• Administrative overhead is increased when starting out as many sites need to be opened as employees and business units request access

Availability-Focused Policy Model

Pros

• Employee access is more open, since external web access starts open and unimpeded
• Employee morale is better, since their access is not constantly blocked
• Administrative overhead is less due to fewer access requests

Cons

• Blocks only the known bad/malicious sites, largely ignoring the unknown malicious sites
• In effect, it gives employees unfettered access to all available sites

The Bottom Line

Virtually all organizations understand that network security policies are essential if they want to protect their lifeline—the network. For that reason, it’s important that everyone reads and accepts those policies and act accordingly when using company assets. While a newly formed security group might not have much in the way of "teeth" to enforce good or proper security policies, its enforcement power will grow with executive backing and mature policy adaptation. With the advice of a cybersecurity consultant, any organization can carefully analyze its options and determine the best way forward.

About Enterprise Studio

Enterprise Studio by HCLTech helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.

Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate the complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.

Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.