Product Group Tests
Group test: Policy managementOctober 06, 2009
There is no golden ring for security and risk management. Defense-in-depth is still the governing best practice, and people and process are required components of that strategy. These solutions have evolved in maturity to deliver a very usable set of tools for combating the policy, risk, compliance and patch management challenges facing most organizations.
Policy management is a challenge for most organizations. It's a formidable duty to periodically review configurations, vulnerabilities, patches, servers, users, network and security rules. Now, imagine that these tasks must be performed in real time, or near real time, to validate the enterprise security posture as it relates to corporate policy. Most corporate governance statements, compliance requirements and various regulatory bodies require us to do this. Fortunately, there are tools to help address this challenge. In this month's review, we are looking at policy management solutions. These products provide the tools for managing, enforcing, auditing and reporting on various security and network system configurations and patch levels.
For this review, we looked for products used to enforce configuration policies of devices in an enterprise. This could include, but was not limited to, network configuration, security configurations, encryption configuration, or software configuration, as well as hardware configuration of any devices in the enterprise. By our definition, these products should be able to audit devices against a policy created by an administrator, as well as provide the ability to make policy changes to devices in the enterprise from a centralized console. These solutions were also required to address compliance management. Additionally, we looked for centralized management capabilities, support for compliance reporting, optional risk management capabilities, and centralized auditing, alerting and reporting.
How we tested
Our testing methodology for this month's Group Test used vendor-provided, web-based access to their systems. Vendors were allowed to run through a short presentation on the company, product features and value proposition and to describe the implementation process that a typical end-user would experience. We then ran through a full demonstration of the products using our usual evaluation criteria: ease of use, features and functionality, reporting and alerting, documentation and support.
We asked the participants to not only demonstrate the features and capabilities of the offering, but to also run through a typical deployment scenario. The solutions reviewed consisted of client-side software deployments, appliance-based solutions and combinations of both.
We reviewed solutions that focused on the security products (i.e., firewalls, IDS/IPS systems), others that were endpoint-focused, and some that spanned across security, network and endpoint products. Some were very good at managing the assets, as well as the vulnerabilities and patches on that particular asset. Others had very nice compliance- and risk-reporting capabilities. Others addressed the challenge of managing large numbers of security and network systems and synchronizing the configurations of each as policy changed.
Although these products offer a great service, before choosing a vendor it is important to consider the impact these services will have on your environment. Most of the solutions in this field are agent-based and require some level of additional overhead on endpoint resources and network infrastructures. The agent size and performance, as well as the network load requirements, should all be evaluated before you select a solution. For the solutions providing knowledge-based decisioning support, such as risk management and compliance reporting, it is important to look into the service and support capabilities of each vendor to ensure timely updates for their reference data.
There is no golden ring for security and risk management. Defense-in-depth is still the governing best practice, and people and process are required components of that strategy. These solutions have evolved in maturity to deliver a very usable set of tools for combating the policy, risk, compliance and patch management challenges facing most organizations. I enjoyed preparing this set of reviews. I found something that I really liked with each of the products we looked at.
All products in this group test
Sign up to our newsletters
SC Magazine Articles
- Popular adult website XTube compromised, delivers malware
- Android vulnerability leaves apps open to malicious overwriting
- One in three of the top million websites are 'risky,' researchers find
- Orgs predict $53M risk, on average, from crypto key, digital cert attacks
- Hanjuan Exploit Kit leveraged in malvertising campaign
- Report: 71 percent of orgs were successfully attacked in 2014
- Self-deleting malware targets home routers to gather information
- 'PoSeidon' point-of-sale malware targets payment card information
- Amedisys notifies nearly 7,000 individuals of potential breach
- Report: More than 15,000 vulnerabilities in nearly 4,000 applications reported in 2014
- The best defense is a good offense: The importance of securing your endpoints
- British Airways says rewards accounts hacked, locked down
- Documents on NSA's zero-day policy provide little insight, EFF says
- GitHub on DDoS alert, efforts to curb its largest attack continue
- Shadow data: The monster that isn't just under your bed