News
In the News
Elemental Security improves security through compliance
New automated tool enforces policies, security
Linda Musthaler and Brian Musthaler
October 24, 2005
Courtesy of NetworkWorld
Is our company’s data secure? Are we in compliance with general information access control policies? These are two security questions on every CIO’s mind these days. For many of them, as well as the other C-level executives, regulatory compliance is another major concern. This past April, Elemental Security began shipping a product to address both security and compliance needs for the large enterprise environment. Even if you don’t need to comply with major regulations such as Sarbanes-Oxley and HIPAA, you can’t go wrong in enforcing your own internal policies to increase security with an automated tool like the Elemental Compliance System (ECS).
ECS fits into the sweet spot where host configuration management, network access control and policy management intersect. This product has one of the strongest, most detailed policy management modules that we’ve seen. For more information about the security and network management aspects of ECS, check out recent articles here and here (PDF).
Compliance requirements and system security have always been linked. Until now, however, they were difficult to implement in a non-invasive, integrated manner that was easy to deploy, maintain and monitor. The ultimate goal is to control gaps in system access while staying in concert with overall general business control requirements (for example, segregation of duties) that are designed to ensure reliability of financial data.
An enterprise-level tool, ECS is an integrated product that provides security practitioners with the near-real time ability to effectively and efficiently:
* Inventory all network assets.
* Create, modify, test and monitor security policy and compliance.
* Control and monitor network access.
* Control and monitor configuration management for users' machines.
* Establish baselines and metrics.
* Identify threats, access risk and automatically contain vulnerabilities.
* Prevent non-compliant resources from access to the network.
ECS uses an agent-server approach. New devices put on the network that do not have the agent are discovered and monitored and can be isolated until it is proven that they meet the conditions set forth by the enterprise policies. Approved devices and users on the network can be dynamically grouped according to specific attributes or policies, increasing your flexibility to control access to resources.
The range of policies that Elemental provides as a template is quite extensive, including regulations such as Sarbox, PCI and HIPAA. In addition, ECS has a built-in custom policy language that allows you to express (or deploy) policies across a broad range of platforms and machines. Once a policy has been developed, compliance by your users and devices can be tested in a “monitor only” mode to determine the impact on the business environment, thereby avoiding unnecessary downtime or unexpected security vulnerabilities. You can fully implement the policy monitoring with follow-up actions when ready.
The total view of compliance is where this product really shines. ECS provides a simple Compliance and Monitoring Dash Board that graphically displays overall compliance with your implemented security policies. This allows compliance managers to determine if information security controls are aligned with the organization’s overall compliance plans.
The view of compliance/non-compliance can be quite granular, allowing you to look at individual devices such as servers and PCs. The dashboard’s highly detailed views should assist organizations in:
* Reducing capital spent on audit preparation and review.
* Determining which policies are being violated and by whom.
* Accurately assessing and reporting on IT access control compliance.
* Addressing access controls across regulations using a single tool.
* Providing visibility to continually assess IT access control compliance posture.
The dashboard also allows compliance results to be exported and rolled-up to corporate compliance reporting tools. What’s more, it monitors security and compliance metrics and trends. These are features your auditors and compliance managers will find very useful in assessing an organization's compliance posture and easing the process of remediation.
Ultimately, in accordance with compliance expectations, guides and requirements, ECS helps management document and test relevant general IT access controls, which are designed to ensure that financial information generated from an organization’s IT processes can be reasonably relied upon. Perhaps more importantly, ECS is going to help your CIO sleep better at night, which means a better work environment for you.
Linda Musthaler is vice president of Currid & Company. You can write to her at mailto:Linda.Musthaler@currid.com.
Brian Musthaler is a principal consultant with Essential Solutions Corporation. He is a Certified Information Systems Auditor with extensive enterprise experience in policy controls.