Vendors in this market provide tools to enforce compliance policies against security configurations. While a number of niche players are capitalizing on the spending, some are broadening their reach as businesses seek vendors that can provide a wider range of services.
"A lot of medium sized and larger organizations are preferring to go with the vendor that can offer them a whole suite of products as opposed to a one-off technology that can't talk to the whole IT infrastructure," said Khalid Kark, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. "It's forcing stand alone configuration management players to look for partners or try to get acquired by somebody to offer a larger suite of products."
In a study conducted last year by Forrester, Altiris and BindView, security vendors that were both acquired by Symantec, were identified as the leaders in the market, followed by LANDesk Software and BigFix.
There's no doubt that Symantec saw the security configuration management as a growing trend and needed to broaden the features of its product, Kark said.
Vulnerabilities within an organization happen primarily because of changes in security configurations, Kark said. Software can also monitor the deployment of new patches and ensure that no changes occur that change security configurations. A majority of data breaches occur because company employees within the firewall make intentional and unintentional configuration changes that open attack routes for hackers.
"Either it's a vulnerability in software, which we are all familiar with or configuration changes being made day to day by people within the organization that introduce vulnerabilities," he said.
The remaining vendors in the market are broadening their scope to compete against larger vendors such as Symantec. Colorado Springs, Co.-based Configuresoft Inc. is making itself stand out by trying to capitalize on organizations upgrading systems to a service oriented architecture and those that are using server virtualization.Server vertualization is not necessarily the main driver of security configuration management tools. Companies such as Lexington, Mass.-based Bladelogic Inc. are filling the need for server configuration management, said Mark Nicolett, research vice president at Stamford, Conn.-based Gartner Inc.
"This segment is a bit busier than it had been and I expect this segment to be driven harder," he said.
Nicolett said that companies in heavily regulated industries, with more mature compliance initiatives could turn to niche players such as Configuresoft to provide configuration management capabilities. Other businesses are turning to Symantec, NetIQ, Computer Associates to fill the need for security configuration tools.
"In many cases an auditor is coming in and saying that there are short comings in change and configuration management so we're seeing more activity from in on the operations side," he said.
Configuresoft has been positioning its product to be sold to either IT operations or security. But vendors from different market segments, including patch management are adding security configuration capabilities to their tool sets, Nicolett said.
Configuresoft recently released its Configuration Intelligence platform, which integrates with BMC Remedy, Microsoft SMS provisioning software, and EMC VMware virtualization software. The software also uses business intelligence to provide a level of analytics to give an indicator of system changes and security event issues.
The vendor is using business intelligence to alert management of any configuration changes that can open holes and increase risk, said Andi Mann, a senior analyst at Boulder, Co.-based Enterprise Management Associates. The goal is to increase knowledge about configurations across the whole enterprise, he said.
George Gerchow, Configuresoft's technology strategist said merchants seeking compliance with PCI DSS, credit card security standards are driving spending on configuration management tools.
"Companies are reducing risk by increasing knowledge," he said. "Understanding what configuration changes are taking place and how they affect the company's entire IT environment is an important part of any security program."