Policy management is a challenge for most organizations. It's a formidable duty to periodically review configurations, vulnerabilities, patches, servers, users, network and security rules. Now, imagine that these tasks must be performed in real time, or near real time, to validate the enterprise security posture as it relates to corporate policy. Most corporate governance statements, compliance requirements and various regulatory bodies require us to do this. Fortunately, there are tools to help address this challenge. In this month's review, we are looking at policy management solutions. These products provide the tools for managing, enforcing, auditing and reporting on various security and network system configurations and patch levels.
For this review, we looked for products used to enforce configuration policies of devices in an enterprise. This could include, but was not limited to, network configuration, security configurations, encryption configuration, or software configuration, as well as hardware configuration of any devices in the enterprise. By our definition, these products should be able to audit devices against a policy created by an administrator, as well as provide the ability to make policy changes to devices in the enterprise from a centralized console. These solutions were also required to address compliance management. Additionally, we looked for centralized management capabilities, support for compliance reporting, optional risk management capabilities, and centralized auditing, alerting and reporting.
How we tested
Our testing methodology for this month's Group Test used vendor-provided, web-based access to their systems. Vendors were allowed to run through a short presentation on the company, product features and value proposition and to describe the implementation process that a typical end-user would experience. We then ran through a full demonstration of the products using our usual evaluation criteria: ease of use, features and functionality, reporting and alerting, documentation and support.
We asked the participants to not only demonstrate the features and capabilities of the offering, but to also run through a typical deployment scenario. The solutions reviewed consisted of client-side software deployments, appliance-based solutions and combinations of both.
We reviewed solutions that focused on the security products (i.e., firewalls, IDS/IPS systems), others that were endpoint-focused, and some that spanned across security, network and endpoint products. Some were very good at managing the assets, as well as the vulnerabilities and patches on that particular asset. Others had very nice compliance- and risk-reporting capabilities. Others addressed the challenge of managing large numbers of security and network systems and synchronizing the configurations of each as policy changed.
Although these products offer a great service, before choosing a vendor it is important to consider the impact these services will have on your environment. Most of the solutions in this field are agent-based and require some level of additional overhead on endpoint resources and network infrastructures. The agent size and performance, as well as the network load requirements, should all be evaluated before you select a solution. For the solutions providing knowledge-based decisioning support, such as risk management and compliance reporting, it is important to look into the service and support capabilities of each vendor to ensure timely updates for their reference data.
There is no golden ring for security and risk management. Defense-in-depth is still the governing best practice, and people and process are required components of that strategy. These solutions have evolved in maturity to deliver a very usable set of tools for combating the policy, risk, compliance and patch management challenges facing most organizations. I enjoyed preparing this set of reviews. I found something that I really liked with each of the products we looked at.