LockPath Keylight Platform v2.3
Strengths: Fully integrated approach to risk management with a strong user interface. The tool is dynamic and intuitive, offers correlation capabilities, and we liked the attention to the small details.
Weaknesses: None technically. For SMB clients, this will be pricey for the full suite of apps on an annual license model.
Verdict: Very complete offering with a great approach to enterprise risk management.
LockPath's Keylight is a family of applications that manages enterprise risk and demonstrates compliance while providing visibility into corporate risk and security controls. Keylight provides a ready-to-use toolset that unifies and correlates any amount of security content. It exposes threats and vulnerabilities detected throughout the organization by tracking and recording key information about secured assets and creating an iron-clad audit history.
The platform is offered as either an on-premise or cloud-based deployment option. On-premise requirements include MS Server 2008 x64 or higher, MS SQL Server 2008 R2 x64 or higher, and .NET Framework v4.0 with IIS 7 and Windows SDK v7.0. The product deploys quickly and we were told that typical deployments get to an audit-ready point at about 30 days on average.
The platform consists of several "applications" that are all fully integrated under a single user interface. Applications are simply added through subsequent licensing. The applications consist of Compliance Manager, Threat Manager, Vendor Manager, Incident Manager, Risk Manager and Business Continuity Manager. Our review focused on the first five applications as they all directly relate to enterprise risk.
There is a lot of prepopulated content, and the tool makes it extremely easy to use and customize, taking very complex regulatory requirements and allowing one to quickly drill into a specific control and page to see specific items. There is a full history of reporting and audit trails logged for all changes to policies and controls. There is also built-in awareness/training acceptance logging that allows one to track requirements for notifications to a user base. By clicking on a link embedded in the email with the update, a user acknowledges reading a policy or receiving updated notifications. The assessment engine is intuitive. One can build questionnaires by linking controls to policies. The questionnaire will present only relevant questions to the user, adapted on-the-fly based on the answers provided. The Threat and Vulnerability Manager provides the IT risk side of the equation. This application provides substantial correlation capabilities, it is easy to build imports from all the common scanners, it provides a powerful false-positive tuning tool, and it can run real time or batched. The asset management capability is complete enough to be a standalone offering or one can import assets from an existing tool or spreadsheet.
The reporting and dashboarding is done well with role-based integration to provide levels of access from admin to vendor. It tracks all aspects of the product and assessment lifecycle. There is a pleasing "what-if" analysis feature that allows users to detail out which requirements one would not comply with and even allows users to go into the exception workflow to ask for an exception.The documentation that came with the product is all built in and is easy to use when needed. Support is included in the annual subscription price and provides technical support and product updates. When used as a complete set of applications, this solution delivers a lot of capabilities and makes the complex task of identifying, correlating, managing and remediating enterprise risk much easier.