Automated Policies Pull IT, Business Together
Streamlined IT is competitive IT. Here's how to use risk to solidify your policy management approach.
November 15, 2007
CIOs like to talk about translating business objectives into IT requirements, but without a way to tie technology assets to operational goals, alignment won't be as seamless as it could be. Policy-based systems management is a method of automatically allocating resources, such as bandwidth, QoS, and security, according to defined business policies.
To yield an efficiency edge, policies must be implemented cohesively, and that means automation. Yet we're facing a multitude of solutions to small pieces of the policy-management puzzle: 8e6 Technologies launched a stand-alone Web proxy-blocking appliance designed to block proxy use and alert IT of offenders, while Fiberlink Communications' Extend360 allows IT managers to set up policies for mobile workers, including how and when they can connect remotely. While these and other point products certainly solve real problems around policy enforcement, no one wants a patchwork of tools. As new standards and best practices emerge, software vendors must respond with scalable, cross-technology offerings that manage and enforce policies throughout the enterprise. That's especially important given the multitudes of regulatory bodies that have swamped organizations with lengthy and sometimes vague requirements that are difficult to translate into real-world actions.
Until vendors bring us a perfect policy-management world, the best way to unify your approach from the desktop to the data center: Follow the risk.
For example, dual drivers for policy enforcement on the desktop are regulatory compliance and reducing costs. Say your corporate policy warns users against visiting gambling or pornographic Web sites, using profanity in e-mail, or installing chat programs. The ultimate purpose of these controls are to protect the company from security breaches, lawsuits and reduced productivity.Our top five areas where policy automation will pay off in risk reduction: password control, desktop environments and software installation, Web content filtering, data security, server log monitoring, and change and configuration management. We'll zero in on a few areas where vendors are stepping up.
Security Vs. Compliance
Within the data center, policy revolves around two equally critical goals: securing servers running a variety of operating systems, and meeting requirements like PCI and Sarbanes-Oxley. Typically, enterprise software configuration management systems act as, or gather data for, a central repository, such as a CMDB, for managing and tracking datacenter activity. While a recent InformationWeek reader poll indicated that 23% of respondents still use a combination of spreadsheets, Visio diagrams and databases to monitor configurations, this simply won't scale-ad hoc policy tracking systems must be updated manually, a situation that opens the door for inaccuracies as well as incompatibility with other applications. Fortunately, there are some promising products emerging in this space that attempt to bring policy management into focus.
Application Performance Optimization Immersion Center
NEWS | REVIEWS | BLOGS | FORUMS
TUTORIALS | STRATEGY | MORE
BMC Configuration Management, using technology acquired from Marimba, enables IT to view a normalized display of all configuration data, including dependencies, and to customize policy information across the data center. Based on your policies, you can deploy updates keyed to security guidelines for ongoing operations or specific tasks for emergency deployments. BMC can proactively identify vulnerabilities and automatically deliver critical policy changes and fixes to thousands of end-points, verifying deployment success. With the ability to document these changes, IT organizations can demonstrate to auditors not just a consistent process, but a way to enforce the process. What's nice is that organizations can also use this software for configuration deployments to desktops and other end-point devices. BladeLogic's Compliance Manager provides hierarchical modeling of complex infrastructures so that organizations can reuse policy packages and deployments across variable environments. This is especially useful in SOX compliance audit reporting. BladeLogic's rules-based compliance measurement can be used for documenting and tracking server policies, which can lower overall costs and increase compliance scores by as much as 90%. Compliance Manager's out-of the-box policies are based on best practices recommendations from CIS, NIST and others. This is a significant component to speed deployment and standardize security and policy best practices.
HP's Opsware Server Automation System will discover all servers, including hardware and software details and patch levels. SAS will then manage all changes within its system. If you want to add network monitoring, the company's Network Automation System will help manage and enforce polices across even a large distributed environment.
With support for nearly every OS, it provides a unified interface that allows you to let go of your vendor-specific patch management tools. The unified interface can also help IT operations reduce the need for intimate knowledge of the details of each managed operating system and focus on enforcing broad policies across the enterprise. BladeLogic Operations Manager and HP SAS do require agents on each server, however.
BMC's RealOps and HP's Opsware Policy Automation System have the potential for not only process automation and integration, but also to act as a central hub for policy management. Beyond a configuration management database, organizations can build policy management repositories using tools like these to centrally design, report, and call execution commands to external systems to enforce policies. These technologies will be the wave of the future that will help organizations manage polices across desktop, server, mobile and even network environments. They will also allow organizations to create regulatory compliance repositories that will be a big help when auditors come calling.
Think of these systems as policy managers of managers - without tools like these, the parts-and-pieces approach will make many organizations throw their hands up and reactively deal with user complaints and failing grades on compliance audits. Rather than rushing to buy a policy manager in response to failing an audit or receiving a new CIO directive, start now so you can vet products to ensure their prepackaged reports are sufficient for your needs. If you're currently juggling several products for policy development and enforcement, make sure you understand how to tie all of those reports together into a single, unified presentation. This is not something you want to be attempting the night before an audit.
The User Morass
At the other end of the spectrum, establishing enforceable policy on Windows desktops across an enterprise is a daunting task, even in fairly small environments. Policies should include a required security checklist for configuring end user systems as well as direction concerning application usage, passwords and Web content accessibility. It should be tight enough to keep malware off systems, yet not so strict that users are prevented from doing their jobs. Because many policies are designed to prevent users from making modifications, a poorly planned set of guidelines can be difficult to adapt as the needs of the user or business change.
Secure Elements' C5 is focused on security configuration for Microsoft Windows OSes, using proprietary agents on each host machine. It works to identify security vulnerabilities and compliance gaps, then evaluate and resolve the issues. C5 is unique in being able to overlay policy-based management on an existing set of end user systems, in contrast to many other end-user management products that are really effective only at the point of operating system migration and have a difficult time showing ROI in a legacy environment. If you are moving to Vista, take a look at products like ScriptLogic's Desktop Authority. ScriptLogic's approach can apply policies even down to USB and other removable storage devices. Although it does require an agent, ScriptLogic does not use Windows group policies, which have limitations in terms of deploying and managing flexible policies. With ScriptLogic, software can roam with users, allowing enforcement based on role rather than physical hardware.
Another common challenge is dealing with password policies, helping users with password resets, and working with groups and users requiring different levels of security-a one-size-fits-all Windows password policy is often too limiting. Special Operations Software facilitates creation of password policies for different groups of users without rearchitecting your Windows domain and Active Directory structure. Special Operations actively helps users select passwords that meet corporate policy for their groups. Through a .dll installation on the client, and using the existing group policy infrastructure, deployment complexity is kept to a minimum.
Application Performance Optimization Immersion Center
NEWS | REVIEWS | BLOGS | FORUMS
TUTORIALS | STRATEGY | MORE
Keeping an eye on employee desktops is a touchy subject - no one wants to be the blog police, but sites that distribute objectionable content must be blocked. Products like Websense and Zihec Internet Control for Business provide customizable content filtering and can allow IT to enforce granular policies, for example, defining hours when chatting or Internet shopping sites can be visited, or blocking them altogether. Zihec can also restrict content that can be sent over the Internet and limit foul language. Websense also allows IT policy managers to set options for managing Web access and even filter sites based on time of day.
However, setting end-user policy can be anything but straightforward. Overly restrictive policies may have unintended negative consequences. A survey by the University of Maryland stated that employees with Web access at both the office and at home spend an average of 3.7 hours per week engaged in personal online activities while on the job. However, they spend more time, an average of 5.9 hours per week, using the Internet at home for work-related purposes. Allowing Internet access actually resulted in more time spent working, which illustrates how complex implementing a desktop control policy can be. It's a good reminder that an employee sits behind every desktop, and policy management ultimately comes down to people.
Automate, Automate, Automate
For policy management to be truly effective, automation is required. The complexity of complying with multiple laws, regulations, and best practice guidelines combined with the fast pace of vulnerabilities make manual policy management a losing proposition for organizations of any size.
Aside from audits and meeting best practice guidelines, policy management can provide other benefits to your IT organization. Controlling end user devices can reduce downtime and user complaints related to poor performance. Attacks from malware and viruses can be radically reduced or eliminated by ensuring that the right security software is installed and up-to-date. A solid configuration management system, required for policy management, can also reduce costs and optimize your technology investment.
Some products are starting to make sense of the chaos, and we'll be watching the vendor landscape to find one that can do it all.Michael Biddick is a Contributing Editor for InformationWeek and Network Computing and executive VP of solutions at Windward Consulting Group, a firm that helps organizations improve IT operational efficiency. Write to him at [email protected].
Top 11 Questions to Ask PBSM Vendors
1. What environment do you focus on: desktops, application servers, network devices or mobile handsets?
2. What types of platforms/operating systems are supported?
3. What policies and default rules are included?
4. Can I edit policies? If I edit them, am I still supported?
5. How effectively can I deploy the product in a complex, mixed legacy environment?
6. Are reagents required? If so, how are agents deployed, configured and managed? What kind of load will they place on my systems and can I get that in writing?
7. If you offer desktop policy management, do you use the existing Windows policy infrastructure or deploy a new layer of technology to enforce policies?
8. What type of central console is available to manage and change my policies?
9. As my organization changes and new policies need to be developed, how easy it it to deploy them into my new environment?
10. Can I enforce, audit and report on my policies?
11. How does your product document policies?
Read more about:
2007You May Also Like