Aberdeen Insight: Security Policy Automation In The Enterprise

Overview: A new evolution is underway in the security industry. Unlike a revolution
that destroys, this evolution of security builds on what is already in place by extending the existing environment.
By delivering extensible security policy modules, "best practice" templates, and automated real-time
feedback loops, this evolution promises to integrate security into a manageable whole that is cost effective, consistent, convenient, reliable, and scalable.

The Enterprise’s Security Dilemma

If you believe everything printed by the popular press, security is as simple as dropping in
a firewall or two and making sure that antivirus software on the desktop is updated continuously.


But, the world in which the enterprise’s Information Systems (IS) security professional lives
is vastly more complex than this simple scenario. The day-to-day world of the enterprise IS security pro includes
incident response teams, ongoing policy reviews, training of systems, and network administrators. Also, most security
pros must keep up with hacking techniques, technology trend analysis, ongoing detection, prevention and fraud analysis
techniques, as well as daily reporting, configuration, and documentation activities. In short: The enterprise’s
security pros — if they exist — are already stretched too thin to be effective.

In fact, Aberdeen’s research consistently shows that the number of security pros employed by
the enterprise hovers around 0.05% (or 0.0005) of the total employee population. For a large enterprise with 100,000
employees, that translates to approximately 50 people whose primary job is security. In a midtier business with
about 2,000 employees, that means there is only one security person on staff. In enterprises with fewer than 2,000
employees, there are few, if any, people dedicated to security.

Part of the dilemma facing the enterprise is how to safely integrate additional Internet-enabled
systems for improving business results without opening Pandora’s risk box. But, the real dilemma facing every enterprise
— from large to small — is capturing and retaining advanced security expertise that is specific to the needs of
the enterprise in a cost-effective manner.

Security’s Policy Problem

Instead of helping IS executives, the current state of the market for security products has been
forcing decision-makers to trade off business risks against costs. The multiple products that apparently must be
purchased, deployed, and maintained to adequately mitigate risk would be too expensive for all but the largest
of enterprises.

Recent Aberdeen InSights

The Promise of Financial Value Chain Management:Using tools to streamline and automate various financial processes in order to cut costs throughout the commerce cycle.

BPM Burns Operational Fat: Business Process Modeling bridges the gap between existing IT infrastructure and emerging B2B collaboration protocols.

Where Financial Processes and Technologies Stand: A look at the opportunities and challenges offered by financial process automation.

The Road to .NET for Business Applications: Great Plains’ annual Convergence conference showed it is truly Microsoft’s business apps arm.

Human Capital Management Lessons from 9/11: Sept. 11 has taught companies the importance of proactively managing their employee assets in addition to their IT assets

A New Era for
Best-of-Breed CRM?:
CRM vendors have been redeveloping application suites over the last two years, attempting to make them more modular and Web friendly.

With New PDAs, It’s High Time for Wireless: When it comes to mobile solutions, CIOs want wireless e-mail, synchronization, access to enterprise databases – and good ROI.

Click here to reach CIN’s Research section.

Moreover, most of security’s point-products — e.g., firewalls, antivirus, and intrusion detection,
among many others — do not provide IS managers with the ability to easily customize security policies to meet the
specific business requirements of the firm.

Limited by what a supplier’s software engineering team believes are appropriate security policies,
IS buyers are mired in tuning technology knobs that bear little, if any, relationship to the business policies
and procedures employed by the enterprise.

This approach to security policy makes it nearly impossible for IS to imbue specific enterprise
security and privacy policies into any of its applications, systems, and security-technology controls.

IT Systems: Marshmallows on the Spit

While the technology of Internet computing has raced ahead during the past 10 years, security
technologies have not kept up with the same rapid pace of change.

Firewalls, once seen as effective defensive moats for connecting to the Internet, have more realistically
become simple routers with holes punched in them. The holes, once considered anathema, are there to ensure that
software services flow unhindered between the Internet and the enterprise’s business computing platforms, including
PCs (personal computers), e-mail gateways, Web sites, and Internet application and data servers.

Meanwhile, traditional viruses have almost disappeared and have been replaced by blended threats
and other forms of malicious software microbes. (For more information, see Aberdeen’s June 2001 White Paper, Software Microbes: New Threat Calls for a Rethinking of Security.) The new software
microbes are automatically grabbing control of the enterprise’s platforms — PCs, e-mail systems, Web servers, application
servers, etc. — without anyone being the wiser. Ignorance is not bliss, especially when the computing platforms
are surreptitiously being controlled.

Unfortunately, application and data servers — as well PCs — on the enterprise network have become
tender marshmallows, ready for roasting. And roasted they are becoming.

Looking for Cover from the Fire

The obvious prescription for these problems is to regain control — and keep control — of the
systems that are responsible for the enterprise’s business operations. But, that is simpler to state than achieve
— especially in a cost-effective manner — over time.

The alternatives to regaining control include the following:

  • Ignoring problems until it is too late;
  • Tightening down each and every application and data system by hand; and
  • Using security policy automation tools to regain and maintain control.

Ignoring the problem is not a viable alternative for the enterprise, especially in banking and
healthcare. Nor is that a wise career move.

While tightening down on each and every application, file, and print server by hand throughout
the enterprise is possible, it is economically indefensible. The time needed to research, document, and properly
configure the myriad systems on the enterprise network is daunting. But these efforts — and costs — are dwarfed
by the time that would be spent trying to continuously maintain control over the enterprise’s computing resources
as new applications, network, scripts, and maintenance software are added for other purposes.

The only approach that makes financial and business sense is to automate security’s workflow
between security policy templates and the computing platforms that are deployed by the enterprise.

Automating Security Policy for the Enterprise’s Computing

A solution to automate security workflow for the enterprise’s computing platforms must make it
possible for IS to more effectively perform several tasks at once, including the following:

  • Defining consistent security policies for different computing platforms;
  • Assessing the risks that are unique to each deployed computing platform;
  • Enabling incident response mechanisms for threshold and anomalous events; and
  • Providing reporting, analysis, education, training, and awareness.

Such an automated policy solution should make it possible to capture best practices at the business
process and technology level. Policy automation software should make it possible for IS to create, modify, and
update security policy based on specific enterprise requirements.

Moreover, such a solution should also enable the injection of industry-specific policies such
as Gram Leach Bliley in the financial services industry, HIPAA (Health Insurance Portability and Accountability
Act) in the healthcare industry, and BS 17999 in the U.K., among others.

Example: PoliVec Builder, Scanner, and Enforcer

PoliVec’s products — PoliVec Builder, PoliVec Scanner, and PoliVec Enforcer — are good examples
of the new security policy automation tools that make it cost effective to define, detect, deploy, and document
consistent security policies.

PoliVec Builder

PoliVec Builder is a security policy development tool that delivers the ability to generate an
enterprise-specific set of active security policies including regulatory, general, system, network, and physical
security policies, among others. Once defined, Builder translates human readable policies into a machine form for
computing platforms. These policies are exported to PoliVec Scanner and PoliVec Enforcer.

PoliVec Scanner

PoliVec Scanner is an automated policy audit and analysis tool that automates the process of
discovering, recommending, and applying changes to system platforms. Whether system vulnerabilities are a result
of system configuration problems or holes that are drilled into system platforms by applications and network services,
Scanner will detect the problems and recommend changes.

PoliVec Enforcer

PoliVec Enforcer consists of small software agents that are deployed on target system platforms
to actively monitor, alert, report, and manage the security posture of systems — against known policies — in real

By using policies defined from within Builder, Enforcer makes it possible for IS to manage the
security of critical system platforms throughout the enterprise as these systems and applications are evolved and
changed over time for new business procedures.

Benefits of Security Policy Automation

Aside from the enterprise exercising greater control over its computing resources, the automation
of consistent security policies delivers the following significant benefits:

  • Consistent security procedures that can be deployed and maintained against policies;
  • Lowered operating costs to realize continuous compliance against policies;
  • Ongoing assessment, alerting, and management of the enterprise’s risk and security profile;
  • Lowered costs for complying with industry-specific security and privacy regulations.

Aberdeen Conclusions

A major evolution is sweeping the security industry that will benefit IS buyers, "make-the-money"
managers, and corporate governance committees.

This evolution places enterprise security policies front and center by delivering software security
products that make it possible for IS to connect policies, procedures, and people into a connected whole — not
a disconnected, incomplete, and incomprehensible security puzzle that looks and acts like a Rube Goldberg machine.

The new security policy and process automation suppliers are going to significantly alter the
economics — and the landscape — of security. It is time for IS decision-makers to investigate the simplicity and
power of security policy automation solutions that are already benefiting users.

Jim Hurley is vice president and managing director of the Information Security practice at
Aberdeen Group in Boston. Aberdeen Group is a leading IT market analysis and
positioning services firm that helps Information Technology vendors
establish leadership in emerging markets. For more information, go to www.Aberdeen.com.