We usually focus on the tools of our trade and occasionally forget that the foundations of a secure network enterprise are wrapped up in our policies. It is from our security guidelines that we derive the configurations for internetworking devices, such as routers, switches and firewalls. We configure servers and endpoint devices, such as workstations and mobile devices, based on our policies.
Be that as it may, policy is the foundation for the practical implementation of enterprise security. But where do we get our strategies? In a well-managed network, those policies are the result of a close examination and analysis of the risks inherent in the network. Risk is a multilayered function derived from threat, vulnerability and impact. Add in a healthy dose of countermeasures to mitigate the risk and one has a picture of the security in the enterprise environment.
“Risk is a multilayered function derived from threat, vulnerability and impact.”
– – Peter Stephenson, technology editor, SC Magazine
Risk measurement and quantification in a dynamically changing environment requires tools that can take lots of inputs from sensors around the enterprise, measure threats from a variety of sources, balance those metrics against the criticality of devices and security domains on the network and keep track of the results.
Typically, we have treated these two functions as separate groups. This year, we have taken them together because more and more we are seeing both functions in the same device. These tools are not for the faint-hearted. They can be complex to configure, they are expensive and need care and feeding as the network changes, an inevitability that we all have come to accept as the way things are in our field.
That said, though, these may be among the most valuable tools in your arsenal. These appliances, software and services are valuable because they enable other tools to work at the peaks of their efficiencies and manage the outputs and configurations of other devices.
This month, Mike Stephenson and Mike Lipinski did the honors in the labs of putting these products through the testing process. If you need a policy management tool, a risk management tool or a combination of the two, I am pretty sure that you’ll find it here.