|Home - Industry Article - Sep 06 Issue
A New Market Opportunity for IT Policy Control
By Teresa D. Wingfield, Director of Product Marketing, Active Reasoning, Inc.
Policies define the desired IT controls in an organization and what actions to take when controls are violated or parameters exceed acceptable thresholds. A number of factors are increasing the number of policies a company must implement. The alarming growth in security threats is escalating the demand for protection from them. As companies are turning to standards-based control frameworks such as ITIL, COBIT COSO, and ISO 17799 to improve their ability to deliver reliable support and services, they need policies that enforce their best practices and procedures. At the same time, government and industry regulations, such as Sarbanes-Oxley, Gramm-Leach Bliley, Basel II, Health Insurance Portability and Accountability Act, and the Payment Card Industry Data Security Standard are adding to the number of IT policies for protecting data and reducing IT-related risks.
There are dozens of types of software products designed to help companies automate their IT policy controls, some of which are shown in Table 1, Sampling of Market Segments and Key Vendors for Automating IT Policy Control.
|Table 1: Sampling of Market Segments and Key Vendors for Automating IT Policy Control
||Primary Automation Capabilities
||Sampling of Key Vendors
||Protection of computer assets against viruses
||F-Secure, Kaspersky Labs, McAfee, Panda Software, Sophos, Symantec, Trend Micro
||Segregation of duties
||Acevan, ACL, Applimation, Approva, Logical Apps, Orchestria, Oversight, SAP, Qumas
||Management of software deployment, updates, and patches
||Altiris, Attachmate WRQ, Avocent, BigFix, BladeLogic, BMC, Cendura, Citadel, Configuresoft, Ecora, HP, New Boundary, Opsware, PatchLink, Pedestal Software, Symantec, SUN
||Auditing data access, data changes, and changes to database structure.
||Guardian, IPLocks, Lumigent
||The financial close and control assessment processes
||80-20 Software, Axentis, Bwise, HandySoft, Certus, IBM, Methodware, Movaris, OnProject, OpenPages, Oracle, Paisley Consulting, Qumas, SAP, Securac, Stellant,
||Creation, management, and authentication of user identities and brokerage of services based on the identities
||Attachmate WRQ, BMC, Cisco Systems, Computer Associates, Courion, Critical Path, Entrust, HP, IBM, Microsoft, Novell, Oracle, RSA, SourceFire, SUN, Verisign
||Analysis of abnormal activity patterns/user policy violations
||3Com, Check Point, Cisco Systems, DeepNines, Enterasys, Internet Security Systems, McAfee, Juniper Networks, NFR Security, NitroSecurity, Open Source, Radware, Reflex Security, SourceFire, StillSecure, Symantec, Tipping Point, Top Layer, V-Secure Technologies
||Policy enforcement for user activity in the IT infrastructure
||Active Reasoning, Solidcore, Symantec,Tripwire
|IT Service Desk and Help Desk
||Identify, plan, assess, approve and assign service activity
||BMC, Computer Associates, HP, IBM
|Network Access Control
||Policy enforcement for network access
||Check Point, Cisco Systems, Fidelis Security Systems, Intrusion, Palisade Systems, Proofpoint, PortAuthority Technologies, Reconnex, RSA, Tablus, Vericept, Vontu,
|Security Information and Event Management
||Analysis of log files and events for network and security devices
||ArcSight, Attachmante WRQ,Cisco Systems, Computer Associates, Consul, eIQnetworks, IBM, Intellitactics, LogLogic, Network Intelligence. Novell,OpenService, RippleTech, SenSage, TriGeo
||Audit and compliance for security configurations
||Altiris, Avocent, Attachmate, BigFix, Cambia, Citadel, WRQ, Configuresoft, Ecora, Pedestal Software, Polivec, SolSoft, Symantec,
||Identification of potential threats to systems resources
||Archer Technologies, Attachmate WRQ, Computer Associates, Cybertrust, eEye, Foundstone, Harris, IBM, Internet Security Systems, Lockdown Networks, McAfee, nCircle, Open Source, NFR, Preventsys, Qualsys, Skybox, SourceFire, StillSecure, Symantec, Tenable Network Security, Xacta
Each distinct market segment has a fairly large number of competing vendors and some vendors compete in several market segments. Products usually serve a single policy objective such as segregation of duties, policy enforcement for either business processes or for user activity in the IT infrastructure, or analysis of log files and events, to name just a few of the available features. Further, the policies, the products support, are usually applicable to only one type of IT infrastructure component such as applications, databases, network and security devices or operating systems.
Given the individual policy focus of control products, organizations are forced to implement additional products when they want to broaden IT policy control. Even though control increase with the addition of each new product provided that the implementation is successful, decentralization of policies across multiple product sets poses several challenges for the typical organization because this approach fails to provide:
Because there are so many gaps caused by the use of disparate IT policy control products, the market will respond to customer needs for a more centralized approach to improve IT Policy Enforcement. Eventually, there will be a single point of administration to make it easier to define, review, update, and version policies across the enterprise. And, a common repository will emerge that stores all relevant information about the policies used for enterprise IT controls and the relationships that exists among them. This database will serve as a single source of record that offers a logical model to improve detection, validation, enforcement, and reporting of IT infrastructure activity. Rather than storing just current and previous states of components of the IT infrastructure, a centralized repository will record change over longer historical periods. Further, the enterprise IT policy control system will verify if a change that actually took place in the IT infrastructure was actually authorized in a formal change management system. An organization will benefit from policy centralization, historical context, and change validation in a variety of ways.
- A common definition and understanding of policies across the entire infrastructure
- A common repository of policies that can be leveraged across infrastructure components as well as across efforts such as risk management, compliance, and best practice initiatives
- A single-authoritative source or record that users can turn to for audit and forensic analysis
- The historical context required for IT process improvement and root cause analysis of incidents in the IT infrastructure
- Validation of actual changes to the IT infrastructure against planned change requests