The five elements of great security policy

By Tom Hickman, VP of Engineering — Oct 24, 2017

I’ve spent most of my career building and deploying software. In that role I’ve frequently been on the receiving end of security policy, stuck between the conflicting goals of security (from the security policy makers) and speed (from the business owners)! I’m excited to join Edgewise, because I think we’re going to change the world by enabling rapid innovation and thoughtful, actionable security policy.

Defining and maintaining policy is the bane of every security team’s existence. I’ve seen all kinds of policy: overly restrictive, overly permissive, non-efficacious, paralytic, counter-intuitive, and completely impractical. Sometimes, I’ve even seen good security policy! But creating good policy is tough. Security policies need to:

  • Reflect the reality on the ground. Policies shouldn’t be written in ivory towers. They need to reflect what’s actually happening within the organization. Too often, though, it’s nearly impossible to get the right people together to even understand the situation on the ground, much less to define a policy that addresses and mitigates actual risk.
  • Be simple to understand. Policies need to be stated in a way that the audience can understand; and they need to reflect and convey the reason the policy exists. However, policies are too often written in vague or arcane language—like an RFC or tax law—and the original intent of the policy gets lost. This is especially true around software and systems deployments, where security teams and application developers may as well be speaking different languages.
  • Be enforceable but flexible. Good policy needs to be specific enough that it can be enforced, but it also needs to be flexible and adaptive. Rigid and restrictive policy may seem like it will reduce risk, but if it forces creative people to work around the policy in order to get their job done, that policy is a failure.
  • Be measurable. Any decision to implement security policy carries an anticipated return on investment. But without actionable instructive metrics, organizations never know if their anticipated ROI is realized. And in my experience, few security programs measure efficacy in the metric that matters—risk mitigation or reduction.
  • Minimize unintended consequences.Coming full circle to the first bullet above, good policy must be assessed not just for risk mitigation, but also against the negative impact of the control. If the control is too onerous (difficult to implement, intrusiveness, time-consuming, etc.), people will work around the policy.

The reality is that few policies satisfy all of these criteria. They’re either too constraining, overly permissive, outdated, or completely irrelevant (click to tweet this). This is especially true in fast moving companies adopting modern DevOps and DevSecOps technologies and methodologies. Without deep collaboration between Security and DevOps teams, policies and processes can lag technology adoption, hinder agility, and leave critical applications at risk.

The cool thing about Edgewise is that we help security professionals with all the criteria above. Once deployed, we discover the situation on the ground and use patented magic to ensure that the application of security controls ticks all the boxes above. Edgewise provides:

  • Automated policy definition. Edgewise uses machine learning to derive and recommend the optimal policy set by grokking your topology and analyzing all inter-application communication paths and dependencies. This vastly reduces the effort needed to create and maintain policies compared to firewalls or other policy-driven controls.
  • Application-level policy language. Edgewise uses application-level language to define and enforce policies based on application components rather than IP addresses, protocols, and other underlying infrastructure elements. This allows policies to be defined and validated by application developers, the people who know their own applications best.
  • Policy compression. Edgewise uses automated policy definition and application-level language a to produce an optimal policy set that is orders of magnitude smaller than a comparable set of firewall rules. This makes policies more understandable and resilient to evolving application needs.
  • Measurable risk metrics. Edgewise analyzes and visualizes application activities, defines recommended defensive controls, and measures the potential impact of applying a control. Risk exposure and confidence level are quantified for each of these policy-driven controls. This provides measurable metrics—both to security teams and to executives—to understand the business benefit of security controls.

This combination of capabilities means that with Edgewise you can create relevant simple policies that provide optimal protection while allowing maximum agility. That’s world-changing, and I’m psyched to be a part of it.

Tom Hickman, VP of Engineering

Written by Tom Hickman, VP of Engineering

Tom is VP of Engineering at Edgewise, which marks his eighth startup. Past roles have included Director of Global Sourcing at Iron Mountain where he built and maintained a global outsourcing center of excellence, and Vice President of Engineering at My Perfect Gig, an agile development firm that built data-filled search and analytic software for the technology recruiting market. Most recently, Hickman served as the Vice President of Engineering at Veracode where he led engineering and product strategy, helping to grow Veracode from a single product company to a multi-product security platform that was recently acquired by CA Technologies for more than $600 million.