Security policies are at the heart of any information security operation. They state what is allowed or forbidden and how users, networks and systems should react under different circumstances. Making sure that policies keep up with the demands of the business – and are adhered to – is increasingly difficult. The good news is that a growing range of new tools and techniques can help companies automate the process.
Most experts agree that companies need to use policy and compliance management tools to close the gap between corporate security policies and the people who must practice them. John Glenn, an independent security consultant, says that without them, the only remedies are "the old standbys of awareness, training or re-enforcement of security requirements and, unfortunately, a strict enforcement of non-compliance consequences."
While technology research firm Gartner does not consider policy management to be a single market, John Pescatore, one of its analysts, says there are a lot of different tools for managing different levels and aspects of what makes up a security policy.
"Most of the products that are trying to call themselves policy management really don't do anything like managing policies," says Pescatore, who thinks the products run the gamut. Some tools check for compliance to standards for system configuration, like Symantec ESM and the NetIQ/Pentasafe solutions. "Then there are products that look at traffic on the network and build normal activity maps, such as Securify, nCircle and others, and indicate unusual activity," he adds. "There are vulnerability management products that scan for vulnerabilities (Foundstone, Qualys, ISS), and others that provide information on external threats (iDefense, Symantec, TruSecure)."
One must remember that firewalls implement policy, as do provisioning systems and host-based intrusion prevention systems, he explains. "So bottom line is there is no policy management market that we see. Policy has to be broken up into smaller, discrete areas."
Gilles Samoun, Solsoft's chief executive, says policy management is a buzzword and a lot of people want on the bandwagon. Devices and tools like firewalls, VPNs, routers, intrusion detection, anti-virus, and vulnerability assessment are important components of a modern network security arsenal, he says. "But these new layers of security are ineffective without intelligent management infrastructure and processes that can glue distinct tools together into a coordinated security system."
A distributed multi-vendor environment creates a management nightmare, he adds. Network administrators need a solution that allows them to address the many security devices on the network directly, and to push patches and updates in an automated, uniform fashion. "A new class of security software, security policy management software, does just this," he points out. "Unlike point-to-point management, where security devices are configured one by one across the network to attain the right level of security, policy-based management enables network administrators to closely follow business practices and needs."
Somesh Singh, vice-president and general manager of BMC's security business unit, agrees that tools and techniques can help to deploy and enforce security policies.
This means that IT managers know which part of their IT infrastructure is performing well or not, but that is only half the story, he says. "We have to know which business services are being impacted and the customer delivery process that business managers can relate to." According to Singh, from the network management side, companies like IBM, BMC, CA, and HP are the most prominent and have a good understanding of what their clients need. Companies like BEA Systems, Novell, Sun Microsystems and Microsoft are also trying to deliver solutions.
Delphi Group analyst Dan Keldsen points out that vendors are driving policy management as buyers are still simply reeling from the sheer number of options they can spend their security dollars on. "Innovation is a great thing, and some real and useful innovation has come along in security for the first time in years, but there is just a bewildering number of areas to throw money [at]," he comments.
To Keldsen, a modern infosec infrastructure should include security event management and security information management to make sense of all the logs and alerts your network, security, server and host devices are spewing out. Also, the necessary policy management component should encompass much of a company's "pure" security infrastructure – firewalls, VPNs and perhaps routers.
Yet another layer should encompass a modern intrusion prevention system (IPS). IPSs have actually significantly advanced from the simple blocking of intrusion detection systems (IDSs) to include worm containment, the ability to shut off individual machines or ports on individual machines, and large-scale blocking, explain Keldsen.
On top of the layers that can often be found in organizations, security policies act as the blueprint for safe computing. However, the unfortunate truth is that some companies still struggle to deploy and enforce them, says Enterasys CTO John Roese.
Roese, who was involved in the invention of the technology through the IEEE, says Enterasys, with the second largest installed base in enterprise networking that focuses on large enterprises, was the first to coin the term "policy management" in the early 1990s at Cabletron. Since its 2002 spinout from Cabletron, Enterasys has been providing an enterprise-wide solution that integrates security technologies in the network fabric.
Roese explains the vision of a secure, effective infrastructure is now clearer to customers, since the technology has become more real in the past few years.
"While the term isn't new, policy management is starting to become real," he says. "We no longer just talk about policy, we talk about making it real."
The increased awareness and demand for such technology has created an environment where vendors do not have to teach people about the technology or what it is, he adds. "We're not telling them they have a problem," he says. "We're providing the solution."
Enterasys is pushing forward with its Secure Networks approach, which positions the company around building highly intelligent, flexible, secure networks. The goal is to ensure that all users, including external users (like partners and suppliers) can have access to the resources they need while maintaining the security of critical assets.
Many see web services as the key to making this happen. One of the first vendors to use the new generation of XML-based security standards, Vordel, provides the framework for enabling secure web services. The company's CTO, Mark O'Neill, says implementing secure web services includes coverage of trust, confidentiality, cryptography, authentication and authorization.
O'Neill, who oversees the development of Vordel's technical strategy and product development, says to secure the extension of business processes across the firewall to integrate with customers, partners and suppliers, companies need to be able to extend the enforcement of policies throughout enterprise architecture across multiple applications.
"This involves leveraging many point security solutions and enabling them to process the security rules applicable to particular data, at any point, as it moves through the business process," he says. "This requires the creation and application of meta-policies, which contain an amalgam of different security policies that need to be applied at the appropriate point."
VordelSecure, which is an integrated-class XML server that allows companies to deploy and configure security for XML-based communications both inside and outside the enterprise, implements XML security standards such as WS-Security and SAML.
O'Neill emphasizes policy management has to include the users connecting to the server, as well as policy information which is already in the directory. "You need to leverage policies in terms of data to be allowed," he says. "We are aware that some of the network management vendors, like Computer Associates and Hewlett-Packard, are looking at integrated security policy management," says O'Neill. "It's still an area where we wish something existed."