New Tools Ensure Active Directory Policy Compliance: Page 3 of 3

MANAGE RISK, NOT TOOLS

As tools for Active Directory policy compliance proliferate, effective management will become a challenge. Brian Hayes, CTO of auditor Redspin, says he's seen IT groups buy so much monitoring and reporting gear that they can't manage it. "Sometimes it has the opposite effect of what was intended," Hayes says.

The solution? Apply risk management principles to guide purchasing. The decision to implement a new utility must be driven by a structured risk management approach. Identifying how a tool fits into your portfolio will help avoid "point-product overload syndrome," a malady in which IT administrators become buried in an unmanageable tangle of poorly integrated consoles that provide overlapping or redundant functionality. Maintaining some number of management suites is inevitable, since no single product can address all compliance issues, but proper risk classification can help ensure that your toolbox isn't out of balance.

A guiding principle that won't let you down: Policy comes first. Whether you decide to purchase a suite or use in-house resources, don't overlook higher-level governance issues. Even the best tools add little value if they're not backed up by well-designed security policies that are supported by management. Unfortunately, odds are that you have work to do in the policy area: Our 2008 Strategic Security Survey found that 54% of organizations still don't have security policies in place.

If you aren't there yet, put away your checkbook for now--you need to back up and develop the necessary policy framework. Once your security policy has been defined, it's time to flesh out the technical settings that determine how the policy will be implemented. Be sure to take full advantage of Group Policy features during this process; many organizations don't. If you want measurable improvements in your real-world security posture, you'll need to go much further than simply defining a screensaver time-out value and applying basic password policies.

CALM THE STORM

There's no way around the fact that hardening servers and workstations will impose limits on user freedom. The trick is to strike a balance between required business functionality and optimum security settings. If your new configuration will significantly increase restrictions on workstations, prepare for the inevitable backlash by confirming management buy-in and clearly mapping technical controls to policy requirements. Risk management principles help here by providing a quantitative way to determine which controls are appropriate.

As for gaining funding for tools, that likely won't be a problem if you're complying with a mandate, but due diligence is still required to get the most from your compliance dollars. Don't neglect the big picture: Map compliance gaps across your systems to determine where the tool fits in your overall risk management strategy. IT shops not under the compliance gun may have a harder time getting approval--CFOs are rightly well-immunized against constant dire predictions of security breaches--so employ a structured approach to demonstrate how your selected product addresses quantified risks. Avoid fuzzy ROI calculations based on hypothetical worst-case scenarios: If management perceives your argument as a bit of a stretch, you'll lose credibility.

Tools alone won't fix your Group Policy compliance woes. But with the proper foundation, the right product can prove valuable in the effort to satisfy auditors and improve endpoint security. While meeting compliance obligations is a worthy goal, gaining confidence that policies are effectively protecting your assets is even better.

Write to Stephen McMurray at [email protected].