About Policy Optimizer

Policy Optimizer is a workflow process that is an add-on module of the Security Intelligence Platform (SIP). Instead of a process that adds rules, like Policy Planner, the goal of Policy Optimizer is to clean up rules that are no longer used or are too risky. Or, as part of a compliance process, Policy Optimizer can be used to create compliance controls within Security Manager to ensure that all rules are reviewed periodically to confirm that they are still required. The basic process is that expired and overly risky rules are routed into workflow where a custom web-based module interface presents the rule to the business owner, at which point the owner chooses one of several outcomes: Certify, Decertify.

Example of Using Policy Optimizer

Consider this common scenario: a request comes in to open a specific port on a host for a new vendor. The business opens a change control ticket, and states that the connection should be closed when the vendor's contract expires in six months. The security engineer implements the change to the firewall and adds a comment to the rule on the device, attempting to insert all the details about the business justification and expiration into the limited text field. The port is opened and both the business and vendor are happy.

However, six months later, who is responsible for ensuring that the rule is removed? Business users don't think about security rules until they prevent access. Removing access is not at the top of their minds. For network engineers, the business justifications coded into the comment fields are difficult to translate, and the full justifications stored in other locations (ticketing systems and shared spreadsheets are common) make it hard to match the existing state of a policy to each rule's original intent and requester.

And even when such information is finally matched up, the responsibility for clean up predominantly falls to a member of the security or infrastructure team, who may not know whether the rule is still working or required. In the example above, the team would not know immediately whether the vendor's contract had been extended past the initial six-month period.