The Elemental Principles of Security Compliance Management
by Fran Howarth and Marcia Kaufman, Partners
Compliance is a word that is in everyone?s thoughts these days. Over the past couple of years, it has most often been used in the same sentence as ?regulatory.? And for good reason?regulations such as Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) are forcing companies to put their houses in order, or face stiff penalties if any wrongdoing is uncovered. At many enterprises, compliance also has a broader meaning related to the policies and procedures used to protect the company?s IT equipment, data, and other assets. These policies, which include security and other business policies, generally prescribe minimum standards for use of IT equipment, definitions of misuse, and rules for enforcing the standards that have been set.
Security policy standards are, however, notoriously difficult to enforce. Over the past decade or so, corporate networks have grown exponentially, encompassing thousands of systems running on heterogeneous computing platforms. And those networks are constantly undergoing change, with new hardware devices added or removed, applications deployed or upgraded, and a constant stream of identity profiles being created, modified or deprovisioned.
East is East, and West is West
It is an oft-heard complaint that security and operations staff don?t talk to each other in large organizations. Often divided into separate departments, with separate budgets and chains of command, in many organizations, the twain shall never meet. The operations team performs ongoing implementation of the required changes to the corporate networks, and the security team is constantly playing catch up, trying to get all the changes reflected in watertight security policies. The net result is that IT managers are often lacking in knowledge about what their policies are and how they affect each machine on their network. This makes it very difficult to implement consistent security policies.
One way to sort out the confusion and help enterprises to centrally manage all computers and devices on their network is to deploy a software agent on some or all of the network devices. This process extends identity management beyond the management of people to the control of computational devices. Software agents that take instructions from backend servers can be deployed on all devices in a network to control the communication and actions of those devices. These agents can be used to stipulate, monitor, and enforce company security policies and regulatory compliance policies?such as limiting access to certain assets or making configuration changes to machines that are out of line with corporate policy.
The Policeman at the Intersection
Elemental Security, a venture-backed technology company headquartered in San Mateo, California, is one vendor who understands these security compliance issues. Their solution incorporates software agents which allow fine-grained visibility into corporate networks, providing insight into how devices are configured and painting a picture of network activity covering all devices on the network. The agents use a granular policy framework to control activity and enforce accepted standards related to usage and configuration of all assets, including software, hardware, operating systems and applications. Elemental?s technology encompasses four key areas of functionality?configuration management, policy management, policy-based access controls, and technology inventory management.
- Configuration management provides companies with the capability to detect what settings are configured on devices and their current state, to discover what threat management technologies (anti-virus, anti-spyware) technologies are deployed, and to determine what patches have been administered. In addition, companies are able to change configurations when devices are found to be out of compliance.
- Policy management can be used to create granular, multi-layered rules across heterogeneous computing platforms and to measure the compliance of a company?s devices with their policies.
- Access control technologies work to discover and enforce policies on rogue network devices, quarantining those that are out of compliance and restricting their access to the network until they are brought back into line.
- Technology inventory management provides a way for companies to determine what devices, applications and users are connected to the network. Companies are able to continuously monitor and report on all the hardware devices and applications on the network. Any unusual behavior can be flagged even in highly complex network environments.
The Elemental Compliance System (ECS) provides a unified way to ensure that all devices are in line with security policies and prevent those that aren?t compliant from gaining access to corporate resources. This is accomplished through the deployment of small software agents on hosts to collect, monitor, and control all computer access on the network. The process takes place in real time, so that vulnerabilities can be stopped before they affect the network. Machines discovered to be non-compliant with the host security policies can be contained until any problems are resolved. Alternatively, if an unauthorized machine tries to access the network, it can be quarantined to prevent it accessing critical resources or sensitive information.
The ECS agents can be used to provide control even when devices are out of contact with the corporate network, meaning that policy enforcement can be extended to mobile devices. In addition, by providing a mechanism to manage hosts not running the Elemental software agent, ECS overcomes one of the major problems that large companies may encounter when trying to manage their security policies with an agent-based system. ECS provides at least some protection and value to all machines on a company?s network, even if the company purchases licenses for less agents than the number of devices on the network.
Elemental?s software became publicly available in April 2005 and the company has a small, but growing list of customers. Elemental recognizes that one of the best ways to show off its product and win customers is to demonstrate to prospects just how much information is discoverable in their network. And, through this, customers are finding that they are getting more information about what is on their machines from ECS than they have ever seen before.
One key benefit for customers stems from Elemental?s development of a cross-platform custom policy language that allows users of ECS to express policy statements with intuitive expressions rather than requiring strictly technical terminology. This approach enhances the level of communication between operations and security staff and reduces the need for custom programming. A typical policy language statement such as ?disable all external media,? would easily be understood by both technical and non-technical users because it closely represents the policy descriptions already used in the company?s security documents. ECS includes many pre-defined policy templates and a library of thousands of individual rules which speeds up the policy creation process. The use of templates and the custom policy language eliminates much of the need for custom programming that might otherwise be required to translate a set of policy rules into the implementation details needed for each of the supported platforms.
Another key feature of Elemental?s technology is that it allows companies to easily and dynamically group resources according to things that they have in common?such as belonging to the same business department, being the same type of machine or running the same applications. A library of hundreds of attributes is provided for creating such groups, which allows companies to map relationships between devices and their dependencies to provide a cohesive view of the entire corporate network. This context is extremely important for administering security and means that companies can more easily remediate against threats and vulnerabilities and more effectively automate provisioning and policy enforcement. This dynamic grouping?the ability to re-classify resources and change their groups if their attributes change (thus changing their policies and access rights), helps organizations keep up with the constant change in their networks.
The Bottom Line
Elemental Security has taken a unique approach by combining strong capabilities in the four key areas of configuration management, security policy management, policy-based access controls, and technology inventory management. This is a significant differentiator for the company as most of its competitors provide technology for solving only one part of the puzzle.
Hurwitz & Associates is impressed with the intuitive capabilities offered by Elemental?s technology, which allows companies to securely eliminate vulnerabilities on devices throughout their corporate networks?even remote devices because the software agent by itself has enough context programmed into it to allow it to enforce security policies without having to contact a back-end server. Through this, companies have an ongoing understanding of which parts of their networks are in compliance with security policies and can quickly enforce compliance on those that don?t make the grade. Not only will this ensure compliance with security policies to prevent vulnerabilities affecting the corporate network, but will also ensure that companies can more easily achieve compliance with regulations, such as Sarbanes-Oxley, HIPAA, and the Payment Card Industry (PCI) Data Security Standard, because now security can be mapped to the underlying business objectives.