Ask five security managers what they mean by "security policy enforcement" and you're likely to get five different answers. The same holds true for vendors, who claim anything from access-control systems to application firewalls to system configuration tools that can help keep users and systems in line with enterprise security policies.
This is one case where everybody's right. Security policy enforcement legitimately means different things to different people. That's why it's vital to understand your IT infrastructure, your business' greatest security risks and how strict you need to be about enforcing security policies.
Some customers expect security policy enforcement tools to produce reports on systems that slip out of compliance with corporate configuration standards. Others expect tools to not only report compliance lapses but also automatically return the system to a safe state without costly manual intervention. Still other customers want templates for compliance with specific regulatory requirements, such as Sarbanes-Oxley.
Vendors define security policy management tools based on what their existing products do well. Some only monitor specific applications; others focus on specific types of systems such as servers or remote clients. Others are really access-control tools that enforce rules for who gets access to what or vulnerability assessment tools that scan systems for known viruses or security flaws. Still others are basically intrusion-detection
Finding the right fit
Given all these choices, here are some features Mark Nicolett, analyst for Stamford, Conn.-based Gartner Inc. recommends customers look for:
- A choice of manual or automatic remediation when a system goes out of compliance
- The ability to easily accommodate exceptions (such as an engineer who needs limited access to sales data for a special project)
- The ability to selectively delegate responsibility for making changes (so that the CEO could, for example, grant his administrative assistant special access rights to read and forward, but not modify, his e-mail) as well as a "modeling" mode where customers can see what changes an enforcement tool would make before actually implementing it
The right tool for your organization isn't necessarily the one with the most gee-whiz features, but the tool that fits the severity of your security challenge, your corporate culture and the security policy creation and enforcement processes you already have in place.
Automatic remediation offerings limited
Although automatic remediation is less expensive than having a help desk do the work, it's important to be able to bypass those capabilities, says Nicolett. In fact, automatic remediation isn't widely used because of the danger that users' legitimate access rights could be taken away to fix a minor policy violation that doesn't pose a substantial threat to the business.
Automating policy enforcement is also hard, he says, because security policies are usually set by one group with an organization, while changes to a system's configuration needed to enforce compliance (such as shutting down a port on a server) are carried out by system administrators following established change-management procedures.
Among the vendors providing some level of automated mitigation, says Nicolett, are Dallas-based Citadel Security Software Inc. with its Hercules 2.1 at a retail price of $995 per server and $129 per workstation. Woodland Park, Colo.-based Configuresoft Inc. also offers its Enterprise Configuration Manager 4.5 ($995 per server and $30 per desktop). Other vendors in this space include Newton, Mass.-based Pedestal Software Inc. with its Intact 3.5. This product detects, logs and responds to unauthorized changes in operating system settings and files as well as directories, data files and file attributes. It also supports automatic reconfiguration of systems to a known good baseline state for settings and files. The price is $445 per server.
Other options abound
Here is partial list of the many other products that claim to do policy enforcement.
- Lexington-Mass. based Liquid Machines' namesake security software attaches policy-based security rules not to users or to systems but to data objects, such as files. These rules specify, for example, whether a user can read, copy or modify a file or portions of the file, and follow the data object (or any information cut and pasted from the object) wherever it goes. Policy "droplets" within the data object allow users to view the policy associated with the object or to change the policies if they are authorized to. The company, founded in January 2001, claims its software is in use by 10 customers with more than 2,500 users. Pricing begins at $5,000.
- Once best-known for its personal firewall, Freemont, Calif.-based Sygate Technologies recently added automated remediation to its upgraded Sygate Secure Enterprise 3.5 suite of security and enforcement software. The new suite includes enhancements to its Enterprise Policy Management agent that cuts costs for customers by eliminating the need to run the agent on a dedicated appliance, says Senior Vice President of Marketing Bill Scull. Pricing ranges from $15 to $70 per seat depending on the functionality required.
- BMC Software's Control-SA approaches policy enforcement from an access-control perspective, ensuring users get access to only the applications and systems they should as their jobs and responsibilities changes. "Once you are granted access to something, every transaction is logged" to determine who is violating the access-control policies, says Deetak Kanwar, BMC's manager of security solutions. Control-SA costs about $130,000 for a configuration that supports about 3,000 users.
- Consul Inc.'s Insight Security Manager 4.5 tracks users' behavior on the corporate network and generates reports on possible violators, but it does not automatically deny them access or reconfigure systems. Pricing begins at $10,000-15,000.
- Mountain View, Calif.-based InfoExpress Inc. offers its CyberGatekeeper Server, an appliance that monitors remote computers, ensuring they comply with corporate security requirements before allowing them to access the network. Each CyberGatekeeper Server costs $6,500, with the required CyberGatekeeper Agent ranging from $30-$40 per seat, depending on volume.
- If you want enforcement of industry-specific security policies delivered as a Web-based service, check out the NVPolicy Resource Center from Orem, Utah-based NetVision Inc. The service, managed for NetVision by META Security Group, comes with a library of security policies and standards for complying with regulations such as HIPAA and the Gramm-Leach-Bliley Act. Annual subscriptions start at about $5,000 per administrative user.
Finally, remember the best policy enforcement tool is no good if it makes life too hard for end users, says Sammy Migues, principal scientist with TruSecure Corp., a managed security services firm in Herndon, Va. Some companies, such as banks, are traditionally more conservative than others, meaning their users are more willing to put up with strict security policies. However, "If you have to send everybody to training (to use a policy enforcement product), it's probably not a very good tool," he says.
About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.
This was first published in September 2003