Examining Security-Policy Management

It all comes down to what’s important to your environment

Companies create security policies for many reasons—perhaps you need to comply with corporate security standards, or you want to adhere to certain recommended best practices, or you need to abide by regulatory compliance. Your computing environment is unique, and therefore your security policies need to be tailored to your specific infrastructure. The biggest security-policy management challenge you probably face is accomplishing it all without increasing head count and costs.

You're probably on the lookout for an easy-to-use solution that provides visibility into your organization's current state, as well as automated remediation. You'll find a wealth of solutions on the market that seek to protect specific aspects of your organization— whether it's Active Directory (AD), file servers, workstations, or a combination of these or other areas. Where do you start looking for that perfect solution that targets your specific needs? Let's examine the various factors that might comprise a security-policy management solution, from AD integration to regulatory compliance to endpoint security.

Pillar Protection
AD is the central pillar of many organizations, and changes made to it can affect users company-wide. Administrators can use AD to push security policies across the entire enterprise, so it's vital that you know who is making changes, what the changes are, when the changes are being made, where the changes are being made, and why the changes are being made. NetPro considers this "5 Ws" list the centerpiece of its ChangeAuditor for Active Directory product. ChangeAuditor identifies these "5 Ws" for all changes to group and user configuration in the AD environment. NetPro offers similarly functioning modules for file servers and Microsoft Exchange Server.

Configuresoft's Enterprise Configuration Manager (ECM)—although not tied solely to AD—also plays a big role in the Windows security-policy management space, offering support for Exchange, Systems Management Server (SMS), and so on. Recognizing the uniqueness of individual environments, Configuresoft has fashioned a solution that collects thousands of asset, security, and configuration settings from throughout your enterprise and stores them in its Configuration Management Database (CMDB). You can then use this assembled information to determine which policies are appropriate for your infrastructure.

You should also consider NetIQ in this arena. Its Change Guardian for Active Directory is similar to NetPro's solutions, in that it ensures that all changes to AD are authorized, monitored, and audited.

Targeted Systems
Most vendors in the security-policy management market provide policy templates from popular industry experts or leading IT security organizations to help you secure your organization. Most of these templates are customizable, or if you feel up to the job, you can create your own template from scratch. New Boundary Technologies, like many other vendors, offers policy templates but sets itself apart from the competition in other ways. Its policy-management solution, Policy Commander, automatically implements, monitors, and enforces computer-security policies across your network, whether internal or remote. The unique aspect of Policy Commander is its specialized targeting of security policies. Targeting—based on each computer's configuration and role, security level, organization group, and location—lets organizations push a particular policy out to only the appropriate computers or servers that need it.

Altiris offers similar functionality but separates itself from the pack with its cross-platform support and agent/agentless structure. Altiris's SecurityExpressions automatically audits, deploys, and enforces security policies across all Windows, UNIX, and Linux desktops, notebooks, and servers. Such cross-platform support is becoming more and more important, as many IT shops are becoming increasingly heterogeneous.

Regulatory Compliance
Generally speaking, security is a never-ending battle that administrators fight across all aspects of the organization. Lately, security has played a key role in the midst of increasing regulatory-compliance pressures in the wake of Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) Act. Auditors now require that customers provide evidence of compliance policies, so it's important that you know where you're compliant and where you aren't.

Security-policy management solutions help you identify your compliance levels, but more important, such solutions help you—and your auditors—address any security gaps and learn how to bridge them. With its Directory Experts Conference Survey, NetPro polled users about their organizational priorities. Whereas 67 percent of respondents answered that improving Windows security was the top organizational priority, 73 percent of respondents marked compliance as the top priority.

Internal Security Threats
Aside from regulatory compliance are the escalating security threats that manifest themselves within your organization.

According to a survey conducted by the Ponemon Institute, nearly 70 percent of the threats to network security and integrity come from malicious employee activity or non-malicious employee errors. One reason for the increasing number of internal threats is the rise of increasingly diverse storage technologies. There are many ways by which data can enter and leave a system, from USB flash drives to seemingly innocuous MP3 players.

In particular, USB flash drives represent a new threat that nearly every computing environment faces. At first, we all loved USB drives for their size and simplicity, but now, as the tiny devices have become very affordable and ubiquitous, USB drives now have become surprisingly threatening. Who knows what your users are doing with those USB drives when they're not connected to your network? RedCannon Security extends security policy beyond the network perimeter to manage the USB drive's entire lifecycle, from provisioning to remote destruction. RedCannon keeps track of all online or offline device activity and history to help provide evidence in support of regulatory compliance.

As you know, data can swiftly enter and leave a system without anyone knowing. In fact, according to a recent FBI Computer Crime Survey, 44 percent of organizations reported that they had themselves been responsible for network intrusions. Theft of sensitive data is only one part of the problem. Many removable media devices upload viruses, spyware, or software that can affect the entire infrastructure.

Security-policy management solutions can help you implement policies in your organization to safeguard the devices that you allow in your network. However, security policies don't typically allow for managing and monitoring endpoint devices. Therefore, it's important to take a look at the solutions in this market that focus strictly on endpoint security. For example, GFI Software's GFiEndPoint-Security helps you manage, access, and log activity to many kinds of devices, including PDAs, memory cards, CDs, and mobile phones. The product also helps you protect against infiltration through such devices as Bluetooth cards and network cards.

Layton Technology's similar solution, DeviceShield, lets you control access to ports, device types, and even specific device models. It lets you assign read and write permissions to removable media devices at every level of your organization, whether across the company or for individual users. Check out our review of DeviceShield on page 35.

Of course, when you're making buying decisions in this market, you should always consider Symantec, a company that offers a number of solutions in this space. And to check out one more endpoint security solution, see "SmartLine DeviceLock," June 2006, InstantDoc ID 49916.

For some organizations, managing and controlling endpoint devices might not be enough—and that's where a company such as NetSupport comes into play. NetSupport adds an additional layer of security on top of endpoint security solutions to protect against unwanted or malicious changes to your system.

A Least-Privilege World
Much of security-policy management is connected to privileges, so it's important to know who has privileges to a certain file server or who has privileges to a specific application. Winternals Software's Protection Manager uses the principle of least privilege to provide users with just the permissions they need to perform their jobs efficiently. To comply with best practices and regulatory-compliance directives, this solution allocates only the necessary privileges to users and provides four security levels, including Allow, Run with administrative privileges, Run as limited user, and Deny.

Desktop Standard also offers a least-privilege solution: PolicyMaker Application Security lets you use Group Policy conventions and Policy Maker's own per-setting filters to attach permission levels to applications.

Emerging Technologies
If you're unfamiliar with Network Access Control (NAC) or Network Access Protection (NAP) technologies, you'd better listen up. NAC is an emerging technology that many vendors such as Cisco, Trend Micro, Still-Secure, and Mirage Networks are starting to adopt. NAC solutions determine a computer's state of health and perform a series of checks (e.g., antivirus signatures, patches) before granting computers access to your network. Microsoft is also adopting NAClike technologies; however, Microsoft refers to this technology as NAP and is building it into Windows Vista and Longhorn Server.

Only the Beginning
Expect a deepening of security at all levels of the infrastructure. This market is growing, and organizations are starting to make policy management their first priority. Remaining compliant with regulatory compliance and industry best practices will continue to be vital, and you'll need to make sure you have the appropriate solutions in place.

We'll continue to see security-policy management solutions that once focused on reactionary approaches move more toward proactive approaches. Time is money, after all, and beleaguered IT managers can't afford to be constantly interrupted to react to the latest security problem. Although increasing security often means new difficulties in learning to adapt, the current security-policy management solutions on the market are well on their way to adapting to future trends.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.