Overview: A new evolution is underway in the security industry. Unlike a revolution that destroys, this evolution of security builds on what is already in place by extending the existing environment. By delivering extensible security policy modules, "best practice" templates, and automated real-time feedback loops, this evolution promises to integrate security into a manageable whole that is cost effective, consistent, convenient, reliable, and scalable.

The Enterprise's Security Dilemma

If you believe everything printed by the popular press, security is as simple as dropping in a firewall or two and making sure that antivirus software on the desktop is updated continuously.


www.aberdeen.com

But, the world in which the enterprise's Information Systems (IS) security professional lives is vastly more complex than this simple scenario. The day-to-day world of the enterprise IS security pro includes incident response teams, ongoing policy reviews, training of systems, and network administrators. Also, most security pros must keep up with hacking techniques, technology trend analysis, ongoing detection, prevention and fraud analysis techniques, as well as daily reporting, configuration, and documentation activities. In short: The enterprise's security pros -- if they exist -- are already stretched too thin to be effective.

In fact, Aberdeen's research consistently shows that the number of security pros employed by the enterprise hovers around 0.05% (or 0.0005) of the total employee population. For a large enterprise with 100,000 employees, that translates to approximately 50 people whose primary job is security. In a midtier business with about 2,000 employees, that means there is only one security person on staff. In enterprises with fewer than 2,000 employees, there are few, if any, people dedicated to security.

Part of the dilemma facing the enterprise is how to safely integrate additional Internet-enabled systems for improving business results without opening Pandora's risk box. But, the real dilemma facing every enterprise -- from large to small -- is capturing and retaining advanced security expertise that is specific to the needs of the enterprise in a cost-effective manner.

Security's Policy Problem

Instead of helping IS executives, the current state of the market for security products has been forcing decision-makers to trade off business risks against costs. The multiple products that apparently must be purchased, deployed, and maintained to adequately mitigate risk would be too expensive for all but the largest of enterprises.

Recent Aberdeen InSights
The Promise of Financial Value Chain Management:Using tools to streamline and automate various financial processes in order to cut costs throughout the commerce cycle.

BPM Burns Operational Fat: Business Process Modeling bridges the gap between existing IT infrastructure and emerging B2B collaboration protocols.

Where Financial Processes and Technologies Stand: A look at the opportunities and challenges offered by financial process automation.

The Road to .NET for Business Applications: Great Plains' annual Convergence conference showed it is truly Microsoft's business apps arm.

Human Capital Management Lessons from 9/11: Sept. 11 has taught companies the importance of proactively managing their employee assets in addition to their IT assets

A New Era for Best-of-Breed CRM?: CRM vendors have been redeveloping application suites over the last two years, attempting to make them more modular and Web friendly.

With New PDAs, It's High Time for Wireless: When it comes to mobile solutions, CIOs want wireless e-mail, synchronization, access to enterprise databases - and good ROI.

Click here to reach CIN's Research section.

Moreover, most of security's point-products -- e.g., firewalls, antivirus, and intrusion detection, among many others -- do not provide IS managers with the ability to easily customize security policies to meet the specific business requirements of the firm.

Limited by what a supplier's software engineering team believes are appropriate security policies, IS buyers are mired in tuning technology knobs that bear little, if any, relationship to the business policies and procedures employed by the enterprise.

This approach to security policy makes it nearly impossible for IS to imbue specific enterprise security and privacy policies into any of its applications, systems, and security-technology controls.

IT Systems: Marshmallows on the Spit

While the technology of Internet computing has raced ahead during the past 10 years, security technologies have not kept up with the same rapid pace of change.

Firewalls, once seen as effective defensive moats for connecting to the Internet, have more realistically become simple routers with holes punched in them. The holes, once considered anathema, are there to ensure that software services flow unhindered between the Internet and the enterprise's business computing platforms, including PCs (personal computers), e-mail gateways, Web sites, and Internet application and data servers.

Meanwhile, traditional viruses have almost disappeared and have been replaced by blended threats and other forms of malicious software microbes. (For more information, see Aberdeen's June 2001 White Paper, Software Microbes: New Threat Calls for a Rethinking of Security.) The new software microbes are automatically grabbing control of the enterprise's platforms -- PCs, e-mail systems, Web servers, application servers, etc. -- without anyone being the wiser. Ignorance is not bliss, especially when the computing platforms are surreptitiously being controlled.

Unfortunately, application and data servers -- as well PCs -- on the enterprise network have become tender marshmallows, ready for roasting. And roasted they are becoming.

Looking for Cover from the Fire

The obvious prescription for these problems is to regain control -- and keep control -- of the systems that are responsible for the enterprise's business operations. But, that is simpler to state than achieve -- especially in a cost-effective manner -- over time.

The alternatives to regaining control include the following:

  • Ignoring problems until it is too late;
  • Tightening down each and every application and data system by hand; and
  • Using security policy automation tools to regain and maintain control.

Ignoring the problem is not a viable alternative for the enterprise, especially in banking and healthcare. Nor is that a wise career move.

While tightening down on each and every application, file, and print server by hand throughout the enterprise is possible, it is economically indefensible. The time needed to research, document, and properly configure the myriad systems on the enterprise network is daunting. But these efforts -- and costs -- are dwarfed by the time that would be spent trying to continuously maintain control over the enterprise's computing resources as new applications, network, scripts, and maintenance software are added for other purposes.

The only approach that makes financial and business sense is to automate security's workflow between security policy templates and the computing platforms that are deployed by the enterprise.

Automating Security Policy for the Enterprise's Computing Platforms

A solution to automate security workflow for the enterprise's computing platforms must make it possible for IS to more effectively perform several tasks at once, including the following:

  • Defining consistent security policies for different computing platforms;
  • Assessing the risks that are unique to each deployed computing platform;
  • Enabling incident response mechanisms for threshold and anomalous events; and
  • Providing reporting, analysis, education, training, and awareness.

Such an automated policy solution should make it possible to capture best practices at the business process and technology level. Policy automation software should make it possible for IS to create, modify, and update security policy based on specific enterprise requirements.

Moreover, such a solution should also enable the injection of industry-specific policies such as Gram Leach Bliley in the financial services industry, HIPAA (Health Insurance Portability and Accountability Act) in the healthcare industry, and BS 17999 in the U.K., among others.

Example: PoliVec Builder, Scanner, and Enforcer

PoliVec's products -- PoliVec Builder, PoliVec Scanner, and PoliVec Enforcer -- are good examples of the new security policy automation tools that make it cost effective to define, detect, deploy, and document consistent security policies.

PoliVec Builder

PoliVec Builder is a security policy development tool that delivers the ability to generate an enterprise-specific set of active security policies including regulatory, general, system, network, and physical security policies, among others. Once defined, Builder translates human readable policies into a machine form for computing platforms. These policies are exported to PoliVec Scanner and PoliVec Enforcer.

PoliVec Scanner

PoliVec Scanner is an automated policy audit and analysis tool that automates the process of discovering, recommending, and applying changes to system platforms. Whether system vulnerabilities are a result of system configuration problems or holes that are drilled into system platforms by applications and network services, Scanner will detect the problems and recommend changes.

PoliVec Enforcer

PoliVec Enforcer consists of small software agents that are deployed on target system platforms to actively monitor, alert, report, and manage the security posture of systems -- against known policies -- in real time.

By using policies defined from within Builder, Enforcer makes it possible for IS to manage the security of critical system platforms throughout the enterprise as these systems and applications are evolved and changed over time for new business procedures.

Benefits of Security Policy Automation

Aside from the enterprise exercising greater control over its computing resources, the automation of consistent security policies delivers the following significant benefits:

  • Consistent security procedures that can be deployed and maintained against policies;
  • Lowered operating costs to realize continuous compliance against policies;
  • Ongoing assessment, alerting, and management of the enterprise's risk and security profile; and
  • Lowered costs for complying with industry-specific security and privacy regulations.

Aberdeen Conclusions

A major evolution is sweeping the security industry that will benefit IS buyers, "make-the-money" managers, and corporate governance committees.

This evolution places enterprise security policies front and center by delivering software security products that make it possible for IS to connect policies, procedures, and people into a connected whole -- not a disconnected, incomplete, and incomprehensible security puzzle that looks and acts like a Rube Goldberg machine.

The new security policy and process automation suppliers are going to significantly alter the economics -- and the landscape -- of security. It is time for IS decision-makers to investigate the simplicity and power of security policy automation solutions that are already benefiting users.

Jim Hurley is vice president and managing director of the Information Security practice at Aberdeen Group in Boston. Aberdeen Group is a leading IT market analysis and positioning services firm that helps Information Technology vendors establish leadership in emerging markets. For more information, go to www.Aberdeen.com.