Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Got Discipline?

May 29, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	What's In It for Me?
	Executive Summary
	Complying With the Feds
	Epoll Results

In the quest for an ironclad information-security program, organizations typically take a textbook approach: First, a business-impact analysis and asset-assessment study identify critical data needing protection and the servers where that data resides. Then, security policies are developed from these studies, your business plan and organizational goals. These policies drive the development of guideline documents defining the requirements necessary to achieve the goals of the policy--for example, if a specific server is designated as critical, your access policy for that server will be stringent.

Essentially, you're taking your policy statements and codifying them into a series of checks.

But even the most well-conceived policies will fail if the effectiveness of the program cannot be measured. How do you gauge the effectiveness of a firewall strategy or a VPN, IDS or antivirus deployment? More practically, how do you ensure that networked devices like desktops, servers, switches, routers and firewalls are configured properly? Absent tools that can provide a holistic view of the network, administrators are left to fumble along. Without measurements, you're blind.

Of course, outside requirements come into play too. Although there's no magic bullet that will make your organization compliant with HIPAA, the Gramm-Leach-Bliley Act or ISO 17799, you can interpret applicable portions of the regulations into policies that can then be enforced and monitored (see "Complying With the Feds,"). Our motto: Speak softly and carry a big yardstick.

Let's Focus

Sheer volume and complexity can make monitoring servers and desktops a nightmare. If you're a Windows-only shop and your desktops and servers are in a domain or Active Directory tree, Windows' Group Policy Object or SMS (Systems Management Server) might be sufficient to ensure policy compliance. However, once an environment becomes even slightly more complex, the task of monitoring becomes much more difficult.

We talked with an IT manager from a multinational petroleum company that deploys more than 4,000 servers and 70,000 workstations worldwide. Although many of these hosts are Windows computers spread across multiple domains, a number of servers and workstations are standalone. Even with tools embedded in Windows and an SMS deployment for desktop management, this organization spent a lot of time writing scripts to gather data from hosts across the network and used Excel spreadsheets to generate reports. A system engineer devotes one weekend per month to running reports--on topics such as disk usage, service pack and patch levels, and security policy configuration.

Online Extra

Listen to Mike Fratto's Networld+Interop Reality Check on Security Policy Management, complete with PowerPoint presentations.
>> More Reality Checks

On the other end of the spectrum, a small hospital with 2,000 workstations, 40 servers, and an IT staff of five needed a view of workstation and server configurations and wanted to create reports showing user access in the file system and tracking access to specific files across the network. It needed to query configuration on Novell's eDirectory and NetWare 6, and Windows 2000 and NT servers and desktops, but did not have the developers to write custom scripts--it wanted a COTS (commercial, off-the-shelf) product.

In both cases, these organizations wanted to ensure--independent of the operations staff--that desktops and servers were configured as defined by their security policies. They also wanted to monitor patch compliance and generate reports pinpointing out-of-compliance hosts. Two organizations of different sizes and in different markets had similar reporting and management needs, none of which were met by existing applications.