Peter Stephenson, technology editor, SC Media
Peter Stephenson, technology editor, SC Media

This month we are looking at the current state of risk and policy management tools.  This is one of the most dynamic groups we have watched over the years. Each year we see an interesting mix of completely new approaches and updates of traditional ones. This year – as in its infancy last year – we have two rather distinct sub-groups: next generation and traditional.

Next-generation products are characterized by their close affiliation with other security tools, most often, firewalls.  They perform auto-discovery, auto-configuration – often no-touch, have advanced machine learning and employ other advanced technologies.

Traditional products are most often typical GRC tools with a few updating twists.  For example, many of these have added intelligence to manage the workflow. None do their own auto-discovery but a few derive network inventories from third party tools such as vulnerability scanners. Most of them can consume data from these third-party products, a necessary capability if the products are going to scale in large environments. It's important to recognize exactly what the vendor means when it say that the tool is “automated.”  That term, in the context of this type of product is very fuzzy and, in our view, often meaningless.

With many of these products time to full deployment is about as hype laden as we've ever seen. We have heard claims of from hours to months and, of course, there is anecdotal evidence that deployment can take years and often is abandoned completely.  None-the-less, these tools are critically important in today's regulatory and litigious world, so they are truly necessary, if a bit troublesome.  The trick is to know what you need and what your resources for deployment and ongoing management are.

These tools are worthless if they do not know about all the assets on your enterprise, the rules you need to live by and what changes you are making (including by whom and whether the change was authorized or not). Getting 200,000 assets into a risk and/or policy management tool is next to impossible if the tool does not have some practical way of assisting you. But, if you and the tool get it right it can keep you out of a lot of compliance trouble and can lower your workload and management costs materially. That's a pretty good combination.

Read on to see this month's reviews:

Cavirin Hybrid Workload Security

RiskVision Platform

Tufin Orchestration Suite

Acuity STREAM Integrated Risk Manager

MetricStream IT GRC Solution

SAI Global Digital Manager 360

Tripwire Enterprise

AlgoSec Security Management Solution

Allgress Insight Risk manager

FireMon Security Manager and Risk Analyzer