Companies create security policies for many reasons—perhaps you need to comply with corporate security standards, or you want to adhere to certain recommended best practices, or you need to abide by regulatory compliance. Your computing environment is unique, and therefore your security policies need to be tailored to your specific infrastructure. The biggest security-policy management challenge you probably face is accomplishing it all without increasing head count and costs.
You're probably on the lookout for an easy-to-use solution that provides visibility
into your organization's current state, as well as automated remediation. You'll
find a wealth of solutions on the market that seek to protect specific aspects
of your organization— whether it's Active Directory (AD), file servers,
workstations, or a combination of these or other areas. Where do you start looking
for that perfect solution that targets your specific needs? Let's examine the
various factors that might comprise a security-policy management solution, from
AD integration to regulatory compliance to endpoint security.
Pillar Protection
AD is the central pillar of many organizations, and changes made to it can affect
users company-wide. Administrators can use AD to push security policies across
the entire enterprise, so it's vital that you know who is making changes,
what the changes are, when the changes are being made, where
the changes are being made, and why the changes are being made. NetPro
considers this "5 Ws" list the centerpiece of its ChangeAuditor for Active Directory
product. ChangeAuditor identifies these "5 Ws" for all changes to group and
user configuration in the AD environment. NetPro offers similarly functioning
modules for file servers and Microsoft Exchange Server.
Configuresoft's Enterprise Configuration Manager (ECM)—although not tied solely to AD—also plays a big role in the Windows security-policy management space, offering support for Exchange, Systems Management Server (SMS), and so on. Recognizing the uniqueness of individual environments, Configuresoft has fashioned a solution that collects thousands of asset, security, and configuration settings from throughout your enterprise and stores them in its Configuration Management Database (CMDB). You can then use this assembled information to determine which policies are appropriate for your infrastructure.
You should also consider NetIQ in this arena. Its Change Guardian for Active Directory is similar to NetPro's solutions, in that it ensures that all changes to AD are authorized, monitored, and audited.
Targeted Systems
Most vendors in the security-policy management market provide policy templates
from popular industry experts or leading IT security organizations to help you
secure your organization. Most of these templates are customizable, or if you
feel up to the job, you can create your own template from scratch. New Boundary
Technologies, like many other vendors, offers policy templates but sets itself
apart from the competition in other ways. Its policy-management solution, Policy
Commander, automatically implements, monitors, and enforces computer-security
policies across your network, whether internal or remote. The unique aspect
of Policy Commander is its specialized targeting of security policies. Targeting—based
on each computer's configuration and role, security level, organization group,
and location—lets organizations push a particular policy out to only the
appropriate computers or servers that need it.
Altiris offers similar functionality but separates itself from the pack with its cross-platform support and agent/agentless structure. Altiris's SecurityExpressions automatically audits, deploys, and enforces security policies across all Windows, UNIX, and Linux desktops, notebooks, and servers. Such cross-platform support is becoming more and more important, as many IT shops are becoming increasingly heterogeneous.
Regulatory Compliance
Generally speaking, security is a never-ending battle that administrators fight
across all aspects of the organization. Lately, security has played a key role
in the midst of increasing regulatory-compliance pressures in the wake of Health
Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX)
Act. Auditors now require that customers provide evidence of compliance policies,
so it's important that you know where you're compliant and where you aren't.
Security-policy management solutions help you identify your compliance levels,
but more important, such solutions help you—and your auditors—address
any security gaps and learn how to bridge them. With its Directory Experts Conference
Survey, NetPro polled users about their organizational priorities. Whereas 67
percent of respondents answered that improving Windows security was the top
organizational priority, 73 percent of respondents marked compliance as the
top priority.