As I commented in my opener this month, the tools that we are reviewing are a group of very sophisticated, many-faceted products. Broadly, they fit into the category of governance, risk and compliance (GRC), but they are a lot more and, perhaps, a bit less. Confused? Don't be. It's really quite simple to discuss, though not quite as simple to do.
Governance is the overarching description of the policies and directions of an organization from the top. Directors, CEOs, presidents and CIOs, for example, are involved in setting the standards for governance within the organization. They set those parameters based on best practices, regulatory requirements, the business environment in which the organization exists, and the environment of the organization itself. Governance can be a bit abstract, but as we go from the general to the specific, we start to enter the domain of the tools we are examining.
Risk management requires that risks be identified and managed. We measure risk in terms of threats, vulnerabilities and impacts. We hope to be able to analyze risks and determine the best way to manage them. We have lots of choices, not all of which will apply equally. It may be easier in some cases to manage vulnerabilities by patching or adding some countermeasure, such as a firewall, to block access to the vulnerability.For a vulnerability to be exploited there needs to be a threat, and the threat agent must have access to the vulnerability. That access is called reachability. So the notion of reachability is inherent in the notion of vulnerability. The issue is complicated a bit by the fact that, today, attacks often are not simple one-off exploits. They may be chained exploits within the enterprise itself or they may require the use of a pivot (a vulnerable device that can be compromised and then used, in turn, to compromise other devices that trust it). That means that analysis - and subsequent management - of vulnerabilities is not a simple process.
Sometimes, it is easier and more efficacious to manage threats. In that case, we usually place some sort of countermeasure between the threat and exploitable vulnerabilities in general. The problem with that is both threats and vulnerabilities are an ever-shifting landscape and, therefore, challenging to manage. That is where the tools that we are reviewing come into the picture. They handle this dynamic environment far more efficiently than can a human administrator.
Compliance is the third leg of the GRC stool. It is the elephant in the room. Compliance is expensive and complicated, but necessary. While fines are not particularly common yet, the penalties for being out of compliance with regulatory requirements can be significant. More important, a case of ID theft traceable to an organization's negligence in maintaining compliance can result in lawsuits.
Managing GRC means controlling both risks and the configurations of the devices meant to implement policy as a countermeasure to risk. It is a basic tenet of information assurance that one must have a technical way to enforce policies. Simply telling people that they need to follow certain password rules, for example, is not a reliable way to implement that policy. The system needs to have a way to enforce the plan. Policy management tools do that for you.
When one combines risk and policy management into a single tool the best of both worlds is available. One analyzes the ever-changing risk landscape and then adjusts appropriate devices in the enterprise to mitigate the discovered risks.Clearly, we don't usually behave in that old-school manner, but GRC management done manually is not far different. If yours fits into any of the many categories of organizations that must be compliant with the multitude of regulatory requirements that bedevil - and protect - us, the tools we look at this month are critical to success. Even if your enterprise doesn't, take a close look at these products because they will, undoubtedly, simplify your life.