Product Details
Product Rating
Policy management (2003)
Good security requires the implementation of good security practices, but introducing a policy shouldn't be a difficult task. By Jayne Parkhouse
We all know that the way to good security is to implement good security practices, but taking a policy and implementing it can become a daunting task to the uninitiated. In order to achieve this, a security policy must be practical and effective. That may not sound so easy, and in practice ensuring that everyone adheres to your restrictions will require more than just a written rule set. It also needs strong management capabilities to ensure compliance with the rules. These should enable a usable and easily maintained way to implement a security policy throughout an entire organization.
Keeping security simple
Security needs to be simplicity itself to work. The simpler it is the easier it is to maintain without overlooking possible vulnerabilities that can seriously affect your whole system. And with policy management, the easier it is to create, edit and delete policies, the easier it becomes to update them. Couple that with good navigation, logging and reporting capabilities and a dash of real-time monitoring and you could find the whole process a walk in the park.
To be this good it also has to provide end users with a similarly pleasant experience and it needs to become second nature, an integral part of the working day and not so much of a struggle that it becomes a challenge.
If the written word was followed to the letter then the police and homicide departments would have little to do. But we are human and in our world, for many, rules are there to be broken. It is as much a part of our lives as eating and breathing - we are all to some extent law breakers whether we like it or not.
Now in the office environment we may only break the odd rule, such as not logging out prior to a lunch break, or printing off a confidential file that we cannot secure between printer and desk. But we're the good guys right? - Wrong. We are the guys that make up the estimated 85 percent of internal breaches you keep hearing about, and together we do a lot more damage than we might like to think. We are not all malicious, just lazy and careless. So if it is simply human nature to be this way, how can we avoid our own mistakes?
Thankfully the answer is already available. If it is data security you need to protect, then establish a rule set that is accomplished by a computer-led program. And what you get is a solution that deals with different scenarios - "If you do this, that will happen, if you want to go there, you need to do this or be in that authorized group. If you do that and violate this, you will be logged, and if you try to get around the rules you will be stopped and reported - comprende?"
But it is not just our data we need to protect, so the rules need to be applied to registry settings, configuration settings, printer settings; the list seems endless.
Don't leave anything to chance
Not many companies can simply leave their security to chance. They need to implement and police it to ensure that mistakes and malicious actions can no longer be accomplished without detection.
A good policy management tool can save many a mistake and prohibit actions that could in turn establish a knock on effect. Policies tend to grade different actions, which pull another rule into play. This means that if someone on your network violates a rule, another rule is automatically applied, which will have the desired effect, whatever that may be.
Software that allows the administrator to write and edit a security policy can now be the backbone of a secure system. It is the company's 'police force,' 'lawyer,' 'judge and jury,' but it can also be your 'tutor,' 'mentor' and 'savior.' Some policy management solutions even provide user integration to ensure not only do your employees comply but they also know why and how to deal with system data securely; it prevents human error to some extent and can satisfy a company's legal requirement too.
Playing by the rules
Whatever you do to alleviate the risks it must easily integrate with your existing network applications and it must be capable of pulling in information from across the network to enable the rules to work. What we were looking for in this Group Test was primarily how products installed and whether implementing a security policy could be accomplished in a logical manner. In a policy management solution where policies are created, introduced, edited or deleted regularly, it is imperative that it is a simple process. This is important when you consider the need to keep a tight ship in relation to new and changing legislation.
Users and groups need to be categorized for the rules to work correctly and their actions should be logged, with comprehensive reporting available on demand if required.
Scalability, and whether policies could be easily copied to other networks could also prove useful in an efficient deployment, so we were looking for solutions that provided this option. One thing that strengthens network security is the education of its users, and so we were looking for active participation in the protection of the network.
In this Group Test we take a look at nine products, their different features and the way they are deployed. We look at the ease with which policies can be created, and give you the benefit of our experience when using the default policies that many supply to speed up deployment of policy management.
We have split these tools into two distinct groups. The first is enterprise-wide policy enforcement tools, which can handle your entire security policy. The second group provides specific protection for either email or internet use, using policy to control this extremely sensitive area.
