STUMBLING BLOCKS
For security teams, there are a few points to keep in mind to avoid pitfalls with change management:
- Understand the distinction between change management and configuration management. Change management is a process framework, aided by technology. Configuration management is more often equated with tools themselves, like a software agent on a server that monitors critical files for changes or a configuration database (see "Tools for Change," below). However, well-designed configuration management can greatly facilitate proper change management for security teams.
- The biggest obstacles to achieving effective, risk-focused change management are people and processes, not technology. Focus on working with peers in different IT groups and business units to understand security's role in the change management workflow. "Security should become more of an 'active partner.' Tools should be less of a discussion than the policy and process creation," says Kris Brittain, a Gartner vice president.
- When you evaluate configuration monitoring and implementation tools, look for those that can be integrated into organization-wide change management products. Don't create silos for security and security products.
Although configuration monitoring tools are beginning to integrate with change management products, convergence of the two is a ways off. For now, security professionals should focus on policies and processes, refine internal processes for risk analysis of proposed changes, and ensure that proper audit trails are kept of all steps in the change management workflow.
 |
|
|
|
|
|
|
|
|
|
products |
|
|
|
|
|
|
|
|
|
|
Tools for Change
Several products help streamline change and configuration management.
A variety of tools exist that perform centralized change and configuration management functions.
Some combine traditional patch management with configuration management options via agents or appliances that can inventory systems and applications, apply and monitor patch levels and control configuration details. These include BigFix Enterprise Suite, Configuresoft Enterprise Configuration Manager (ECM), Kace's KBOX Systems Management Appliance, BladeLogic Operations Manager and Lumension's PatchLink.
Other tools are more concerned with policy management and configuration monitoring, and perform file integrity monitoring and policy enforcement based on an organization's specific settings. Organizations define baseline configurations that map to policy, and once applied, the tools monitor for changes. These tools can either alert or automate configuration and remediation based on policy. These include Tripwire Enterprise, nCircle Configuration Compliance Manager and Solidcore S3 Control.
A third type includes traditional change management products that may integrate help-desk ticketing, change request and approval workflow tools, and built-in auditing functions. These include BMC Remedy, HP Change and Configuration Center, and IBM Tivoli Change and Configura-tion Management.
--DAVE SHACKLEFORD
|
|
|
|
|
|
|
|
|
