June 09, 2003

Excerpted from "Got Discipline?", an article in the May 29, 2003 issue of Network Computing.

It may start innocently enough, perhaps with a user installing a seemingly innocuous piece of software on a networked enterprise PC. Can you be sure that the application did not change vital configurations on the machine, possibly making your entire network vulnerable? Worse, if your security policy is not continually enforced, such a hole might go unnoticed indefinitely. And even if your desktops are locked down tight, HIPAA requires all health-care organizations to have a system in place ensuring the security of all patient information; the Gramm-Leach-Bliley Act makes similar demands on financial institutions. Security policy enforcement, clearly, is taking on new urgency.

The best way to stay in the Feds' good graces is security policy monitoring, whereby you lay down the law across your organization and then constantly audit for compliance.

Although there's no magic bullet that will make your organization compliant with HIPAA, the Gramm-Leach-Bliley Act or ISO 17799, you can interpret applicable portions of the regulations into policies that can then be enforced and monitored. Our motto: Speak softly and carry a big yardstick.

What's In It for Me?

Sure, developing policies and then extrapolating compliance rules is no small undertaking, but there are many benefits to be had from policy-compliance monitoring, including:

* Ensuring end users follow the rules. For example, if your access policy requires that all passwords be eight characters, changed every 30 days and not be repeated, you must be able to pinpoint users who are not in compliance with the policy so that you can have them executed. Just kidding.

* Maintaining separation of duties. Tiered management access ensures separation of duties between monitoring and management. We recommend that security administrators monitor desktops and servers for configuration compliance. Optionally, configuration access can be granted for trusted security administrators or desktop/server administrators.

* Bringing about increased responsiveness. You must be able to respond quickly to changes that affect your security stance. For example, if a new vulnerability can be solved by creating a new registry key, can you ensure that the key was created and properly set to the right value across your enterprise? If not, you have a problem.

Remember, honest mistakes as well as malicious attacks can leave your organization vulnerable. Monitoring policy compliance keeps potential problems at the forefront of administrators' minds. Often, security updates and patches break some critical functionality on a server. In such cases you have four choices: do nothing, patch, find a workaround or persuade the application vendor to fix the problem so the system can be patched. No matter which you choose, turnaround time may be long. Forgetting about an unpatched system is all too common.

In addition, once you have developed and deployed a security policy, compliance tools can ensure that apathy doesn't set in. It's human nature to move on to the next big project. Plus, personnel turnover will have less of an impact on your security if policy monitoring strategies are in place.

Details, Details

Once you start monitoring for compliance, remediation is a natural progression. Technically, it doesn't matter which application makes changes on desktops and servers. In reality, organizational hierarchy dictates a separation between operational and security duties. Controlling access to the policy-compliance application is critical so that only authorized people, such as security administrators or auditors, create and run reports, while desktop operations staff run reports and make changes to target systems, for example.

Although desktop-management packages and home-grown tools provide some basic functionality, the consolidation of reports and the redundancy of effort is costly. If you have multiple platforms and multiple levels of security, and you need to get a handle on your security and protection procedures, you should be looking at policy monitoring.

For the full story, visit:http://www.nwc.com/1410/1410f1.html

For detailed product reviews, visit: http://www.nwc.com/1410/1410f2.html

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs(R); he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.

This article originally appeared in Network Computing magazine. Network Computing is dedicated to providing critical analysis of technologies, vendors, and products to 220,000 IT managers and staff who are held accountable for strategic technology purchase decisions. Visit Network Computing online at http://www.nwc.com/