News
In the News
Security management vendors promise to keep customers in compliance
Elemental Security is Moving in on Security Compliance Management with Bessemer's Backing
By Denise Dubie
April 4, 2005
Courtesy of NetworkWorld
A slew of start-ups are rolling out tools to help newly compliant IT shops monitor, maintain and enforce compliance policies.
Meeting the demands of the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act, and the Gramm-Leach-Bliley Act requires constant data analysis, a chore that security management newcomers Elemental Security, eIQNetworks and Procera Networks hope to ease.
"IT managers need to have ongoing visibility into their compliance levels to avoid drifting out of compliance over the course of six months or so," says Scott Crawford, a senior analyst with Enterprise Management Associates. "No one wants to have a big compliance project every year. Security and policy management products can automate parts of the ongoing monitoring and enforcement of compliance policies."
Start-up Elemental Security this week is scheduled to launch its Elemental Compliance System, software that the company says combines policy-creation tools with ongoing monitoring and enforcement features. The software, developed by company co-founder and IT security guru Dan Farmer and Python script author Guido van Rossum, can be customized to work with a variety of platforms and applications.
"It's not a tool specific to one type of vertical application. It can work with what I have without me having to go to my application vendors and get them to rewrite their code for compliance," says Doug Torre, director of networking and technical services at Catholic Health System, an integrated healthcare delivery network in and around Buffalo, N.Y. He is piloting the product to determine if it will help him maintain compliance policies across healthcare-specific applications.
The system uses a combination of server software and agents distributed on servers, desktops and laptops. The server maintains the library of policies, and the agents monitor devices, reporting any changes from the established baseline to ensure compliance.
The product comes with tools to create policies for heterogeneous environments, including Unix and Windows. Templates and scripts let even inexperienced administrators create policies on multiple systems without platform-specific knowledge, the company says.
Once deployed, the software assesses compliance on a regular basis and offers tips to mitigate potential problems, such as discovery of an unauthorized laptop attempting to access a network or a sales employee accessing an accounts payable application.
"Instead of an annual baseline or periodic security check, this software shows us in nearly real time what isn't compliant and even enforces policies," Torre says. He now can dedicate less of his tightly stretched security budget to maintaining compliance.
While Torre says he's not thrilled with distributing additional agents, which requires configuring and deploying them to targeted machines. But he says the idea of blocking traffic or isolating non-compliant systems - a feature made possible by the traffic analysis capabilities of the agents - is a worthwhile trade-off. "These are applications we can't easily control, but a software overlay like this could let us evaluate and assess what they are doing on the network."
Another relative newcomer, Procera is scheduled to unveil this week an appliance designed to intelligently monitor traffic for compliance with security policies. The OptimIP Compliance Executive appliance sits near a router or firewall at the edge or the core and monitors traffic.
The company says the device can block non-sanctioned Internet communications such as Web-based e-mail and instant messaging, mirror e-mail and other electronic communications to a centralized storage system, and enable undetectable surveillance of online activity. Procera offers an add-on to let IT shops monitor users without detection.
Separately, eIQNetworks this week is set to make available Network Security Analyzer (NSA), which the company says includes features such as log collection, compression, encryption and data archiving.
For one network manager, who wished to remain anonymous, the NSA compliance-reporting capabilities were an added bonus. His company, a billion-dollar holding company in the manufacturing sector, uses 28 firewalls, which generate 1G byte of logs per day.
"A security event can trigger 50,000 lines of logs, and it's difficult to search those for the relevant data," he says. "With the NSA software, I save at least eight hours per week reviewing logs for potential problems. I can do specific searches and narrow down what happened to generate the data."
The software, which runs on Windows servers, uses syslog collection techniques and APIs to build links into systems and gather data across security and network devices. The product also includes compliance reports custom-designed to meet multiple regulatory auditor requirements.
"I am able to show auditors complete and repetitive reports for our Sarbanes-Oxley," he says. "Instead of me wondering when was the last time I looked at the firewall report, I can just get the e-mails sent to me and keep a running record."
EIQNetworks competitor Network Intelligence last week announced the third in its series of compliance modules that work with the company's flagship enVision security event management software. This software is packaged in an appliance dubbed the Network Intelligence Engine that monitors data created by network devices and applications, and alerts users of potential compliance and security issues.
The new module is a customized SOX 404 report that provides a mechanism for monitoring and reporting on data associated with financial controls, the company says. The company already offers reporting packages for HIPAA and Gramm-Leach-Bliley. The new module is available free to all active customers.
Jon Oltsik, an analyst of information security at Enterprise Strategy Group, says even a reporting package can ease the burden of maintaining compliant systems.
"The products use information they already have, but they go a long way to bridge the gap between raw data and regulatory-specific reports. They can automate parts of the auditing process for IT shops," he says.