Group Test: Policy management

Configuration weaknesses and missing patches for servers, workstations and network devices continue to make their way into the information security headlines on a daily basis. Like many other well-publicized events that tend to whip people into action, IT and security stakeholders are inundated with reactive mandates to patch quicker without breaking applications, deploy faster with less resources, and to provide more protection without impacting productivity.

As companies experience growth, acquisition or even expansion to different lines of business, the configuration of workstation, server, network and security devices becomes more difficult to manage. Changes in the regulatory landscape and ever-evolving threats to information assets have put a burden on managers and administrators. Today, it's no longer acceptable to avoid developing configuration standards, nor is it acceptable to throw everything at the patching process in hopes that everything remain secure. Many organizations are moving toward a risk-based model that manages assets using methods that make sense. 

Just a few of the items that have piqued the interest of decision-makers with regards to helping them manage hosts and achieve their policy enforcement goals, include network access control, anti-malware, operating system patches, registry settings, router and switch configurations, rule base management, access control lists, host integrity applications, encryption, logs and disparate systems. Regulatory requirements, especially in the financial sector, have mandated that businesses have reasonable protections and control over their technology infrastructure. Regulators don't sympathize with a disparate environment, and it's an issue that taxes resources and drains effectiveness for many organizations. Relying on administrators and teams of IT personnel to manage so many different components within their respective silos is no longer cost effective, nor is it good business. By no means is implementing technology to help you manage policies a panacea, but some of the features that are creeping into the policy management space can help alleviate some of the pain points associated with these daunting tasks.

In this review
We examined two general classes of products: solutions that help manage workstations/servers and solutions that help manage network devices (firewalls, routers, VPNs, IPs, etc.). We did not review any tools that had the capabilities to perform both functions. Both classes of products can help with particular issues that an organization may be struggling with. The decision is left to the individual business with regards to what side of the infrastructure warrants a capital expenditure to mitigate configuration, policy and change management risks.

How we tested
All of the products in our group review were installed on either Windows XP Professional SP2, Red Hat host machines or Windows 2003 SP2 servers with MS SQL 2005 and MySQL databases. Networking configuration testing was run against multiple vendors, including Juniper and Cisco. We ran our configuration management against firewalls, VPN devices, routers, switches and even some security devices.

We deployed agents to Windows and Linux devices for our workstation/server policy management tools and added devices to our network configuration management inventories. Surprisingly, we did not have any issues with installing agents and deploying configuration and policy for any of our Windows or Linux machines. In all fairness, we expected some Windows agent problems, but were pleasantly surprised when we didn't encounter any.

From a reporting perspective, some products produced better reports than others. Those with a risk-based approach or compliance templates and reports scored highest. We feel these features are very important, rather than simply focusing on a gap analysis and whether you're in compliance or not. 

Even though the products performed as we would expect, decision-makers will have their work cut out for them when deciding how many devices should be managed. Some of our products suffered from a bit of an identity crisis in their branding and even product names. Customers may want to steer clear of solutions that have changed hands several times in the past couple of years.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.