To have an effective policy management solution, several key support mechanisms must be in place:
The first step in developing a manual policy management solution is creating a set of procedures that reflects your policies' goals. Keep the policies as high level as possible; the procedures and guidelines will provide the details necessary for day-to-day operations.
Some typical procedures include antivirus, password aging and log monitoring. Each procedure/guideline is an interpretation of a specific section of the policy and is used as criteria for implementing and configuring specific software solutions.
Using our procedure example, the antivirus policy sets the tone by establishing that an antivirus solution will be used within the enterprise. The antivirus procedure will outline exactly how the policy will be enforced, addressing issues such as updates and outbreak response. Normally, that is managed by a central console and the rules are pushed out to workstations and servers.
An acceptable-use policy is interpreted in several procedures that address e-mail usage, data storage and Internet usage, among other activities. A Web usage procedure outlines which sites employees are allowed to visit, what type of technology--such as Web content filtering--will be in place to enforce the restrictions and how often the logs on the devices are checked.
Another example is the password-aging setting in Microsoft Windows. If the policy requires complex passwords, the guideline dictates the maximum age of a password, and Active Directory will be set to the maximum password life.
It's easy to see how information security policies can be used to create practical and enforceable controls for managing the enterprise. However, this process is extremely hands-on--someone has to intervene to correlate the data between the various control points, including antivirus programs, IDSes, firewalls and authentication systems such as Active Directory. Manually monitoring for policy compliance can be quite cumbersome. Potential problems include the following:
- The antivirus management console could occasionally lose connectivity with individual servers or workstations, leaving an exposure point on the corporate network. Detecting this policy deviation and correcting it can be extremely time-consuming.
- It's not unheard of for content management providers to misclassify Web sites. For example, chocolate-maker The Hershey Company's site was once misclassified as pornographic. This type of error can lead to false positives and, if the site is not classified at all, can give users a way to bypass the system. Monitoring this control is time-consuming and frustrating. Plus, managing user exceptions--those who can bypass the filtering system to conduct research--complicates matters by creating a need to track exceptions for compliance reporting.
- Although systems like Active Directory can stipulate that users have complex passwords, it is possible to bypass the intent of the control, resulting in the user having a weak password. Because of this, it's important for security administrators to occasionally audit users' passwords with a password-cracking tool.
Automation to the Rescue
The time and effort involved in manual policy management can make automated tools an attractive alternative, especially for large organizations.
In recent years, several vendors have come to market with policy management solutions, including Elemental Security, Solsoft and BindView (acquired by Symantec earlier this year). Most of these vendors' products couple the creation of policies with management software. Essentially, managers create the policies, and the software enforces them and measures compliance.
Elemental Security takes a host-centric view of policy management, implementing polices into servers and workstations on the network. Solsoft uses a network-centric approach by applying policies to network devices. BindView takes a host-based view, but also has an add-on component that helps write policies, push them out to users, and track user acceptance and exceptions.
Automated tools work by taking your security policies and procedures and implementing them into control points. As noted, some tools operate by controlling network devices--they convert policies into configuration criteria for network devices, such as routers. With host-based tools, policy is converted into configuration commands.
What is especially helpful about some policy management products is that they provide the templates for different standards, such as ISO 17799 and CobiT, and cross- correlate them with relevant regulations. With the templates provided, you can choose the policies necessary for your organization.
Another noteworthy feature of many policy management products is that they integrate across the enterprise, pulling data from a variety of sources, including backup, antivirus, content filtering solutions, firewalls, operating systems and routers; these data feeds should reduce the amount of data the user has to sift through. Some automated tools also integrate vulnerability management, keeping systems up to date and addressing emerging threats and zero-day exploits.
The ability of policy management tools to automatically correlate large amounts of disparate data can also facilitate regulatory compliance and reporting since it allows users to pull compliance data for specific regulations. A major complaint among security professionals is the redundant requests for the same audit-related information from external auditors, internal auditors and government regulators. Instead of having to complete several different audits that address similar issues, these tools allow you to generate reports tailored for different groups.
Automated policy management tools can also monitor for violations and track policy exceptions. A key benefit is that all reports are consolidated into one management console, making them easier to track than with the manual approach. But they are not really active monitoring products--they won't act like a fire alarm. Symantec, however, plans to integrate BindView with technology that manages incidents; other tools are designed to integrate with security event management products.
None of the products are plug-and-play--all take time to implement; some even require companies to convert their policies into a specific format. Implementation times vary depending on the product and the state of the organization's policies.
Along with implementation times, software cost is a key consideration with automated tools. For instance, the Elemental Security Platform 2.0 starts at about $35,000 with server agents costing around $600; workstation and laptop agents cost $60.
Which Is Best?
Both the manual and automated approaches can do the
job well, but they clearly have limitations. In a large enterprise, automated policy management tools can be a tremendous help. But for smaller organizations, they may not be worth the cost.
Another possible problem with automated tools is that, instead of making customized policies for the enterprise, users can modify the company to fit the policies. Right now, many automated products are limited in scope by only taking a slice of the pie--either the network- or host-based approach. To truly be effective, a policy management solution needs both. Symantec is moving in that direction, with plans to add a network-based component.
Policy development and policy management are a complex series of daily tasks, but companies must face the challenge. As our IT infrastructure becomes more complicated and threats continue to grow, we will increase our reliance on manual and automated tools to enforce policies and report on compliance. As policy management products continue to mature, we will see automated tools that are better equipped to deal with the problem holistically, and hopefully prices will drop to where businesses of any size can afford to implement them.
To be sure, effective policy management will only become even more critical in the future.