Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Got Discipline?

May 29, 2003
By Mike Fratto

>> continued from previous page

What's In It for Me?

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	What's In It for Me?
	Executive Summary
	Complying With the Feds
	Epoll Results

Sure, developing policies and then extrapolating compliance rules is no small undertaking (for help see "Control the Keys to the Kingdom," and "Chart a Plan for Security"), but there are many benefits to be had from policy-compliance monitoring, including:

• Ensuring end users follow the rules. For example, if your access policy requires that all passwords be eight characters, changed every 30 days and not be repeated, you must be able to pinpoint users who are not in compliance with the policy so that you can have them executed. Just kidding.

• Maintaining separation of duties. Tiered management access ensures separation of duties between monitoring and management. We recommend that security administrators monitor desktops and servers for configuration compliance. Optionally, configuration access can be granted for trusted security administrators or desktop/server administrators.

• Bringing about increased responsiveness. You must be able to respond quickly to changes that affect your security stance. For example, if a new vulnerability can be solved by creating a new registry key, can you ensure that the key was created and properly set to the right value across your enterprise? If not, you have a problem.

Remember, honest mistakes as well as malicious attacks can leave your organization vulnerable. Monitoring policy compliance keeps potential problems at the forefront of administrators' minds. Often, security updates and patches break some critical functionality on a server. In such cases you have four choices: do nothing, patch, find a workaround or persuade the application vendor to fix the problem so the system can be patched. No matter which you choose, turnaround time may be long. Forgetting about an unpatched system is all too common.

In addition, once you have developed and deployed a security policy, compliance tools can ensure that apathy doesn't set in. It's human nature to move on to the next big project. Plus, personnel turnover will have less of an impact on your security if policy monitoring strategies are in place.

Online Extra

Listen to Mike Fratto's IT Minute on Security Policy Management.
>> More IT Minute Audio

Details, Details

Once you start monitoring for compliance, remediation is a natural progression. Technically, it doesn't matter which application makes changes on desktops and servers. In reality, organizational hierarchy dictates a separation between operational and security duties. Controlling access to the policy-compliance application is critical so that only authorized people, such as security administrators or auditors, create and run reports, while desktop operations staff run reports and make changes to target systems, for example.

Although desktop-management packages and home-grown tools provide some basic functionality, the consolidation of reports and the redundancy of effort is costly. If you have multiple platforms and multiple levels of security, and you need to get a handle on your security and protection procedures, you should be looking at policy monitoring. Our review of policy monitors begins here.

Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®; he covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.

Post a comment or question on this story.