Managing security in a compliance-crazy world

Products from eSecurity, nCircle, eEye, Enterasys, and NetIQ ease documentation burden

The laws seem to be shooting out of Congress like arrows aimed at the hearts and budgets of IT administrators across corporate America. Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, Basel II, and a host of other regulations are pushing IT security management into extremely difficult and potentially expensive territory.

“It’ll probably take years for many organizations to become fully compliant because the rules are so vague,” says Mark Amaher, security administrator at Ochsner Clinic Foundation, a large hospital in New Orleans with 60 satellite offices throughout Louisiana. “We’ve been actively working on HIPAA compliance from the technical side for over a year, and it’s hard because the rules simply don’t specify what’s required other than audit logs of who accesses protected data stores. How you enforce those rules, however, is up to you.”

Coping with this uncertainty presents an altogether new challenge for IT security administrators. It’s almost as if actual security has taken a backseat to security documentation. “It used to be that guys like insurance auditors would come in and simply ask me if I had certain processes in place,” says Christopher Amos, IS manager at Centillium Communications. “Just answer yes and you’d get your big insurance discount. Now they want to see documented proof and in some cases verify that with hands-on testing.” Preparing for such audits puts a huge burden on IT.

“If you’ve implemented commonsense security, you’re probably already in compliance from an IT standpoint,” says Tim Keanini, CTO of nCircle, a security monitoring software maker. “Compliance from an auditing standpoint, however, is something else. Most regulations are fairly generic in terms of what they’re expecting from IT security. When the questions do get explicit, like some government audits such as SISMA [Streamlined Integrated Software Metrics Approach], nine out of 10 times they’re going to concern what and who is on your network. Getting to that information in an efficient manner is the real challenge.”

Trouble is, that’s a huge request for companies with sizable networks. Even for networks with a security infrastructure that provides event logs and identity management information, the process of gathering this data and distilling it so that it makes sense to business managers, auditors, and even lawyers is a daunting challenge.

Fresh tech to the rescue

Literally dozens of new products are springing up to ease IT administrators’ regulatory burdens. The general form that much of this software takes is that of a metasecurity management console. Using these new tools, IT security administrators can not only gather relevant data but also implement customized security policies on their networks. These policies ensure regulatory compliance from an IT standpoint and provide all the documentation necessary to prove that notion to anyone who might ask.

The Sentinel 5 product from eSecurity is an excellent example of this platform style. “We specifically designed Sentinel as a security management tool that sits on top of existing security infrastructure to manage these platforms cohesively, both with and without agents,” says Reed Harrison, CTO of eSecurity. Harrison describes Sentinel’s impact on compliance problems in terms of template-style Control Packs.

“The Control Packs allow our customers to maintain compliance without losing the advantage of automation,” Harrison says. “HIPAA, for example, may require specific settings with regard to user permissions. So our Control Packs can implement these requirements from a single console and then ensure that they remain in effect automatically.” Sentinel monitors settings via the Control Packs, and if it finds an anomaly, such as users trying repeatedly to access information to which they shouldn’t have access, the software can analyze those anomalies, react, and route them to the appropriate human resource for remediation -- all this with a full audit trail.

IP360 Version 6.4 from nCircle takes an appliance-style approach. “The company had it installed in a day, and since then it’s almost been plug and forget,” says Centillium’s Amos, an nCircle customer. “And the reports it gave us are easy enough that I usually feel comfortable giving them to upper management directly.” But, as opposed to the template approach taken by eSecurity, nCircle requires customers to know how to match IT security processes to business processes in order to configure IP360 efficiently.

Although it skews more toward vulnerability management, eEye is another fast-emerging security management player. Fernando Martinez, CIO and CTO of Mercy Hospital in Miami, uses eEye’s Retina product for ongoing vulnerability assessment and the company’s Blink product for end-point intrusion detection.

“Where clinical informatics are concerned, you’re very concerned with data integrity,” Martinez says. “Every piece of fancy medical hardware has a PC attached to it, and all of these are potential security holes. Blink is perfect for us because in effect it’s an intrusion prevention system that surrounds every end point on the network individually, while reporting all that event data back to a central console for easier logging and analysis.”

Old guard, new direction

New players aren’t the only ones listening to cries for help from IT managers overwhelmed with new data-gathering demands. In some cases, established companies are re-architecting their business strategies to address new needs.

Formerly part of Cabletron, Enterasys has been manufacturing all manner of LAN, WAN, WLAN, perimeter security, and even VoIP products for years. But all that has changed. “At the beginning of last year we realigned the entire company around this concept of totally secure networking,” says John Rose, CTO of Enterasys. “We took a hard look at all our products and worked hard on bringing a very strong security slant to every product line, including authentication, trust analysis, encryption, and more.”

Rose believes that adding analysis data to dynamic threat events is critical to the customer’s overall security experience, and he’s not alone. NetIQ, a longtime manufacturer of enterprise network management software with its AppManager line, has also shifted its primary focus to security-plus-network management. “We moved in this direction because we found that many of our customers simply didn’t know the actual impact of security events on their operations,” says Chris Pick, vice president of market strategy at NetIQ. “And that’s critical knowledge from a compliance perspective.”

Despite the many products popping up to help IT security managers solve compliance issues, it’s still very much an emerging landscape. Many customers have yet to find the sweet spot between ease-of-use and the ability to customize metasecurity managers to specific business and regulatory requirements.

Click for larger view.

Whatever it takes, write it down

Bill Randal, director of MIS at Red Robin restaurants and a NetIQ customer, has had to do some heavy lifting. “The NetIQ products have been great at helping us with compliance, but they’re definitely not a drop-and-play solution.” Red Robin implemented AppManager years ago but started using NetIQ Security Manager only three months back. “And we’re only now getting really good information out of the system,” Randal says. “It’s a lot of work marrying business, security, and compliance requirements into a single system.”

When it comes to starting a compliance project, Randall can’t stress the importance of documentation enough. “It’s what the auditors are really looking for,” he says. “They’re not IT folks, so they’re looking for documented processes they can track. At the start of our compliance project, we literally stopped all other projects for over three weeks while we documented every security and auditing process we had in place.”

In this paper chase, Rowan Trollope, vice president at Symantec’s security management business unit, sees a new opportunity for Symantec’s ESM (Enterprise Security Manager), which has been available for more than 10 years.

“Our first customers were the financial institutions, and they’ve always been heavily regulated,” Trollope says. “Banks are very forward-thinking with regards to both security and compliance, so they’ve always had expert staff on hand to interpret ESM data.” But now that ESM is beginning to appeal to a broader enterprise audience, ESM has to pay much closer attention to broader compliance requirements and especially ease-of-use, he adds.

“We’re going to make ESM more user-friendly in the very near future,” Trollope promises. “The combination of a rapidly changing compliance horizon and a new user base that’s interested in more business-oriented analysis, not simply security expert data, means we’ve got to focus much more on usability. Simplicity, simplicity, simplicity.”

Big vendors: behind the curve

Large technology players can’t react to customers’ holistic security management needs as quickly as smaller startups can. With so many product lines and diverse customer requirements, they’re forced to rely on partners or to make vague noises about future plans.

Microsoft, for example, can cite numerous features across a swath of products -- including Active Directory, ISA (Internet Security and Acceleration) Server, and Identity Management Server -- that can be used to make a Windows network compliant with almost any regulation. But finding specific help in meeting regulatory criteria is not yet available directly from Redmond, as Microsoft has left that function to its solution providers and partners instead.

“This is a hugely complex issue for Microsoft when we view the sheer diversity of both our customers and our product lines,” says Peter Cullen, chief privacy strategist at Microsoft. “It just isn’t something we can easily jump into.” Cullen points to an upcoming compliance management initiative that will bear fruit this summer with a rich set of free planning tools to help customers map their Windows infrastructures across specific compliance needs.

The company is also working on its NAP (Network Access Protection) end-point protection standard, which is similar to the NAC (Network Access Control) standard put forth by Cisco. Both standards are aimed at providing dynamic security scanning of all network end points against central security policies. Should an end point be found wanting, it isn’t allowed network access and is instead dropped into a quarantine area.

Bill Lewis, CIO of Arizona State University, is using an introductory version of NAC called NAC Lite that Cisco acquired through its purchase of Perfigo. “We face issues from a number of regulatory sources, including FRPA [Family Rights and Privacy Act], Gramm-Leach-Blilely, and even a little bit of HIPAA,” Lewis says. “NAC Lite lets us observe these rules while still offering open access to our students.”

Although NAC Lite helps control the scads of mobile nodes that jump around on the university’s network, Lewis’ principal support systems analyst, Robin Manke-Cassidy, wishes for more. “We need integration onto the switches themselves. Right now everything is a static route to the NAC Lite machine, which is easy on a single network, but incredibly difficult on disparate networks,” Manke-Cassidy says. Click for larger view.

Although NAC Lite helps control the scads of mobile nodes that jump around on the university’s network, Lewis’ principal support systems analyst, Robin Manke-Cassidy, wishes for more. “We need integration onto the switches themselves. Right now everything is a static route to the NAC Lite machine, which is easy on a single network, but incredibly difficult on disparate networks,” Manke-Cassidy says. Click for larger view.

Russell Rice, director of marketing and system planning at Cisco, agrees. “That’s NAC Phase 2, and it’s due out this summer, which is when we expect to see NAC really take off in the customer space,” he says. But Cisco is being ambitious with NAC, developing the technology as a system architecture rather than as a product, which means not only technology development but vendor interoperability as well.

A shifting landscape

“No matter whose tools you’re using, this is far from a done deal for anyone,” says Brian Chee, information systems security manager at University of Hawaii and Research Corp. of Hawaii (and InfoWorld senior contributing editor). He maintains that going it alone is as viable a strategy as hiring consultants, depending on how comfortable you are with security management data.

“Even a small Windows server farm can generate upwards of 50,000 events in a single year,” Chee says. “If you’re smart and you’ve got some time, you don’t need to spend tens of thousands managing that flow. You can do monitoring with What’s Up Gold and log file analysis with EventTracker for a grand total of about $3,000. And EventTracker even has specific regulatory compliance templates to help with the task. But then you’re taking on the burden not only of collection but analysis and reporting as well.”

That’s simply not feasible in many larger organizations, which is where auditing companies such as Pricewaterhouse Coopers have seized on a new opportunity. Andy Toner, a partner at PwC, describes a new practice that the company formed around security event management.

“We use eSecurity’s Sentinel product to provide our customers with all the security information available on their networks,” Toner says. “And then, narrowing that information down into reports, they can apply directly onto business processes and compliance concerns.” PwC adds its consulting expertise in helping customers map business needs onto IT security technology and reporting, a moving target that Toner says has changed significantly in the past six months.

“Auditors aren’t simply going to ask you whether or not you’ve got controls anymore,” Toner says. “They’re going to want to see documentary evidence to that effect and in many instances will want to come on-site to test them.”

Other compliance-concerned IT managers agree. “Whether it’s [Sarbanes-Oxley] or HIPAA or something else, this is going to keep on changing,” Red Robin’s Randall says. Both legislation and the auditing bodies will become more sophisticated in terms of not only the information they’re asking for but also what form it is to take and how quickly they expect to get it.

“These new [security management] tools are great,” Chee says. “But if you don’t have one in place, you’d better get set to mirror that functionality somehow because auditors will be looking for it sooner rather than later.”

Copyright © 2005 IDG Communications, Inc.