Eliminating threats on the network

Sygate is a company that specializes in endpoint security solutions for large enterprises. John De Santis, Sygate's president and CEO, recently met with InfoWorld Senior Analyst Wayne Rash to discuss the issue of security policy management and measures for creating a safe state on the network.

InfoWorld: How important to the enterprise is security policy management? Is this something vital that people are not paying attention to?

De Santis: The more advanced thinkers in the larger enterprises understand that it's a major issue for them. They've spent a lot of time looking for the bad thing on the network and trying to nail it through an intrusion detection system or an anti-virus system, through firewalls. What's changed is that the threats and the vulnerabilities have become sophisticated enough to the point where you can't find them all. You don't have a virus signature or an intrusion detection signature anymore. So we were seeing them move towards [asking what is] the safe state, the trusted state of a device before it connects to my network? If I can somehow enforce that, then I could eliminate many vulnerabilities and threats that are out there because I know what the trusted state ought to be. I know that you need this level of patches [and] these security measures in place. I know you need these applications turned on or turned off before someone gets connected. The problem I have as an IT executive is I have very little way of automating the enforcement of it. I'm not sure whether people are listening to what I'm saying [and] doing what I'm telling them to do. Security policy management is not just a question of doing audits and finding out whether people are following my policies. It's can you automate as much as possible the enforcement of policy and the remediation, get things back to a trusted state when they fall out of a trusted state so that people can get on with their work.

InfoWorld: You're saying that you need to do something besides using the signature-based scanning, which is what most anti-virus programs do?

De Santis: Yes. There's this approach that some people call scan and block: I'll scan something -- "Oh, you're bad, I'm going to block you" -- and there's some people that do scan and report -- "I'll scan something and I'm going to report that this is going on." If you had only a security hat on and you weren't running the business, you'd say "Well, I'm secure. I stopped all of the potential bad things from getting in."  But there's a business to run and a lot of these worms and viruses and things are so automated they rip through the network even without any human intervention. If you can change the concept from scan and block to comply and connect, you've changed the entire perspective on how you let people onto the network. You say "Comply to my policies and then you can connect. And if you can't comply, come into this safe zone where I'll remediate, I'll get you back to a trusted state, I'll get your anti-virus back up to date, I'll turn off KaZaA, I'll turn on these other security measures that should be on so that then you can come onto the network and connect to the applications you need to connect to."

InfoWorld: Where do you think policy management is going in terms of its overall role in the future of enterprise security?