We look at policy management tools every year, and every time we notice that they are trying hard to keep up with the current stable of threats and other challenges. This year, though, they have made some pretty nice strides. Overall, this year's crop is showing more automation, and we have niche tools for enterprises of various sizes and types. These are important steps forward.
The real problems that policy management tools need to address are continuing - and increasing - regulatory requirements, and the increasing level of agility required for successful business. That means that device configurations need to be equally agile to address these to key issues. For example, consider the virtualized environment, arguably the data center of the future.
This is an environment that changes very rapidly, and often without much lead time. Servers are easy to add and remove, configurations tend to be one-off because many servers are performing unique tasks, and they are no less subject to regulatory requirements than are the physical servers in the racks next to them.
Additionally, there are issues of vulnerability management, fault remediation and overseeing of both physical and virtual devices. Take that complex network and expand it all over the world into countries that have vastly different security, privacy and regulatory requirements and one has a pretty set of challenges for policy and configuration management.
We saw all of these challenges addressed this year. Leading the charge are change and configuration, firewall and router management. To keep all of this straight there is far more automation than we have seen before. For instance, we saw examples of automatic fault remediation. This is a bit of a Holy Grail for security administrators who often have to decide between patching and fault remediation (although both are sides of the same coin) when deciding how to divide their time.
It often is a prickly question as to whether a particular enterprise actually needs policy management. True, some of the tools can be rather pricey, and certainly may be overkill for smaller organizations. However, today there are niche products that address the smaller enterprise, as well as the usual group that shine in larger environments.
The key is to look at what you have that needs policy management and what your enterprise looks like. Smaller, compact enterprises need less. If one has an organization that is heavily subject to regulatory requirements, such as GLBA or HIPAA, this also may be a candidate for policy management regardless of size.
Why? Simply because if one has a consistent way of implementing policies and managing change and configuration, it is far less likely to run afoul of the regulators. One also will have a better handle on the consistency and correctness of configurations. Most important, though, is that as things change - new regulatory requirements, new systems, new use cases, and more - one will be able to turn on a dime with the absolute confidence that nothing has slipped through the cracks.
All of this flexibility comes at a cost though. This year's products can be rather challenging to deploy and set up. Initial deployment is no walk in the park for most of these. However, detailed requirements often require detailed solutions, and these products are no exception. Policies are far more detailed than in the past. Detail gives one more choices to make. That's the good news. The bad news is that detail also gives one more choices that must be made.
The need for more choices - a necessary evil, perhaps - is one place where we have seen some improvement this year. With more choices comes the need for simpler policy development and deployment. This bunch of products has improved - overall - policy engines and many drag-and-drop policy generators are quite slick.
Still, admins will need to take care with initial deployments because one can get oneself into a lot of trouble if deploying something that shuts down the routers. The best bet is to pilot with policy changes that don't make the changes at first. This gives the admin a chance to examine the possible results of a changes. Build a sandbox that has many of the characteristics of the enterprise - easy to do in the virtual world - and use it as a test bed before going ahead to production. It can save a lot of headaches.
Mike Stephenson contributed to this Group Test.