The need to carve out enterprise policies, specify controls around those policies and then smoke out the scofflaws is universal. But risk and policy management inside most organizations is often messy, and looks more like an exercise in hand-wringing than a coordinated, rational process.
Now that a significant data breach is announced every month, treating security as a classic case of risk management has gained acceptance at the executive levels of most organizations. But there's still the issue of how policy directives about cyber risk are translated into the control of packets traversing the network. It's one thing to create a prioritized list of things to worry about; it's quite another to convert that list into firewall rules, data loss prevention policies and the like --and then make sure that those various filters and settings remain consistent with that prioritization over time. It's here that the tools come in, and it's a category that's gaining in importance every year.
Some of these tools have adopted an executive interface while others stay closer to their administrative-tool roots. Readers gave the nod to both types, as shown by the two winners that we honor here as the best Risk and Policy Management tools of 2014.
Winner: QualysGuard Policy Compliance, Qualys Inc.
QualysGuard Policy Compliance is an off-premises approach to the policy controls game. It's part of the QualysGuard Cloud Suite, a veritable grab-bag of management tools that, in addition to Policy Compliance, comprises Vulnerability Management, Continuous Monitoring, Web Application Scanning, Malware Detection Service, Web Application Firewall, PCI Compliance, Questionnaire and Qualys Secure Seal. Those other goodies aside, Policy Compliance enables customers to automatically identify IT assets, collect and analyze the IT security data associated with them, discover and prioritize vulnerabilities, recommend remediation actions and verify implementation. An important aspect of these tools is easing the process when auditors come calling, and QualysGuard comes through with a nice set of high-level, auditor-facing reports (and, of course, the ability to drill down into the underlying details as needed).
Qualys users clearly like the company --in this category, Qualys got top-of-the-dial kudos for vendor service and support. But they gave equally high marks for the effectiveness of the product. There are vendors with more market share --McAfee and VMware have locked up nearly half the market in this niche, according to our readers, who it should be noted gave those products better-than-respectable marks as well --but Qualys clearly does well by those who choose it.
Winner: Network Configuration Manager, SolarWinds
SolarWinds' Network Configuration Manager is a product that does what you'd expect, given its unambiguous moniker: It scours all the devices on your network and checks them to make sure they comply with the policies you've outlined. It has plenty of flexibility in terms of what kinds of devices it can monitor, from endpoints (of course) to firewalls and other key elements of network infrastructure. And if you like what you see on its impressively comprehensive console page, it's worth noting that SolarWinds makes a number of other bread-and-butter infrastructure monitoring and tweaking tools.
High marks went to SolarWinds' data archiving, ease of installation, configuring and administration, as well as granularity and flexibility in defining policies. It also grabbed some love for ROI --not too surprising, given that this product's entry point is below $3,000. You might get some change back from unexpected sources as well, because SolarWinds has thrown in support for enabling and managing Cisco's EnergyWise devices. This means you can put a throttle on unnecessary energy consumption. Sure, trimming the electric bill may not be your first thought in looking at products like these, but it can't hurt, right?
Send comments on this article to firstname.lastname@example.org.
Curious about which products won last year? Compare this year's results to the 2013 best of policy and risk management.