The tools in this section have an extremely important role in the overall security of our data. While they do not protect the data directly, they provide the platform on which good information assurance is built. These tools define and manage the security infrastructure by managing risk and implementing policy. That makes them the centerpiece for compliance, a critical aspect of today’s enterprise.

Like most tools of this type, these risk and policy management tools can be quite large and complicated. However, that does not mean that they have to feel large and complicated. One of the major innovations that we saw this year was ease of use. These tools may exemplify that. One of the pleasant things that comes out of ease of use is the need to think about how the tool is going to be used and what its environment is likely to be.

While that may seem like a bit of a disconnect, it really isn’t. Traditionally, these large enterprise-class tools have gravitated toward large organizations. However, today more and more small companies need the functionality that these tools provide. That means that organizations with limited IT and security resources still need to have access to sophisticated infrastructure management. Add the challenges of cloud-based computing and the whole thing comes together on a lot of levels.

Having capabilities that are comprehensive, scalable and accessible by users with limited information security background is what these tools are all about. What they have in common is that they are designed with a lot of capability out of the box. They also have a lot of thought behind the seeming dichotomy of power and ease of use. In one case, the Innovator took a large and complicated, but extremely capable system and repackaged it to make it accessible to users at organizations of just about any size. That exemplified creativity and innovation.

Add a solid suite of ready-to-use policies and you’ve got just the right mix for risk and policy management at about any level of organization. Top it all off with excellent customization capabilities and you’ve described this year’s security infrastructure products.

Modulo

Risk management is a tough nut to crack in the IT world. Traditionally, organizations have avoided identifying IT risk as a separate and actionable risk area, folding it in with other forms of risk and often ignoring it completely. However, today, IT risk is a major issue for several reasons. First, and most visible, is compliance. Regulatory requirements force organizations to call out IT risk and address it explicitly.

Second, we finally are in that information age that people have been talking about for decades, and information is the life-blood of most organizations. In fact, even money itself is little more than data under certain circumstances. Finally, that status of data as the underpinning for the entire organization demands that risk be managed explicitly. Far fewer organizations than in years past are submitting to the “check-in-the-box” syndrome where compliance is all that matters and security comes a distant second, as long as the compliance report reads properly.

Modulo has addressed the challenge of compliance and real risk management by developing a platform that works on the premise of command and control. The Modulo Risk Manager links the organization’s assets and infrastructure directly to governance, risk and compliance (GRC) requirements and, using the most comprehensive knowledge base in the industry – 21,454 individual controls addressing technology, people and processes, views the entire organization from a risk management perspective.

The key to this company’s innovation is that it collects and harmonizes threat, vulnerability, operational, vendor and business risks – IT, operational and physical data – and matches this to business processes. The system is based on a MetaFramework on which one deploys the appropriate modules for the organization. The system integrates with many third-party products – more than 3,145 data collector possibilities, for example – to provide both front- and backend services and data sources.

This rich set of integration possibilities covers just about any business or IT configuration imaginable. The Modulo Risk Manager, then, becomes a central control point for addressing, managing and mitigating risk holistically throughout the organization. Hence, the notion of command and control. In part, because of its comprehensive command-and-control approach, Modulo is one of a small handful of risk management products used extensively in managing risk within national security organizations.

AT A GLANCE

Vendor: Modulo Security

Flagship product: Modulo Risk Manager

Cost: $28,500 depending on number of assets for SaaS deployment; contact vendor for on-premises pricing.

Innovation: Provides an aggregated view of risk in a command-and-control environment.

Greatest strength: Customer relationship.

Approva

Enterprise resource planning (ERP) is a necessary part of large organizations. It also is very difficult to manage from the perspective of policy violations because of its native complexity. Infor has been building ERP systems for a long time. All of that experience and expertise has gone into the Approva Certification Manager.

The Approva tool does just one thing: It looks for violations of policy within an ERP system. By identifying and mitigating these violations, one also mitigates risk. The ability to mitigate risk is predicated on being able to identify it and at the bottom of that risk identification is the ability to find violations of policy.

There are two big differentiators for this product. One is that it is ERP-system agnostic. It already has connectors for the major ERP systems, but if we wanted to develop our own ERP product it would be straightforward to implement a connector for it using The Studio. These connectors are, basically, policy rule sets. The product comes complete with a large set of pre-made policies. One can modify those policies using the Rules Builder or write new ones.

The second differentiator is, as one probably would imagine, the rules engine. The policies come from the experience of the company in 194 countries with more than 70,000 customers.

The Approva Certification Manager typically runs on-premises in application and database servers. However, it can run in the cloud as a hosted environment or it can run as a hybrid. It performs continuous monitoring focusing on data and data flows as it looks for policy violations. Once the violation is spotted, it is reported in a manner that supports mitigation action. The workflow is automated and a detailed audit trail is created recording the total process for future audits. This also results in a closed-loop, problem-reporting process that allows auditors and administrators to see exactly what was done to correct the violation.

It takes a lot of creativity to make a system that monitors a large ERP system. A major strength of the Approva system is that, although Infor has its own ERP product, the Approva system is ERP product agnostic. It would have been easy to create a system that monitored only the Infor system, but to support virtually any ERP product available and give the capability of supporting ones that have not yet been thought about is truly innovative.

AT A GLANCE

Vendor: Infor

Flagship product: Infor Approva Certification Manager

Cost: Contact vendor

Innovation: ERP-agnostic risk identification and management through data monitoring.

Greatest strength: Deep knowledge of ERP processes.