Analysis: Security And Configuration Solutions Converge
When it comes to IT security, the typical defensive toolsets garner all the attention: firewalls, antivirus and antispyware apps, as well as intrusion-detection and prevention systems. While they all play critical roles in defense, the most crucial processes and technologies needed to keep systems secure and humming along are those associated with continuous security-configuration-management programs.
"When you consider the viruses, worms and breaches that hit companies, you'll see that it's not a technology problem. It's a process problem that centers on change and configuration management," says Gordon Brown, president of Plexent, a Dallas-based consulting firm that specializes in IT-service management.
Considering the fast pace of change and the increased complexity of networks, applications and data centers, implementing an ongoing security-configuration-management program is no easy chore for organizations--large or small. In addition, the muddled product landscape makes security-configuration management a golden opportunity for solution providers.
Gartner security and privacy analyst Amrit Williams backs up Brown's observation, and says that roughly 99 percent of all successful external attacks exploit known vulnerabilities or avoidable system-configuration errors.
To plug those holes and keep systems in line with security policy, companies and solution providers have historically been forced to rely on a handful of point products that didn't work together or readily share information: patch-management tools, vulnerability scanners and configuration-management suites, among others. That is now rapidly changing as configuration and security-management tools converge.
For example, vulnerability and security-configuration-management software manufacturer BigFix recently unveiled its Vulnerability and Security Configuration Management Suite, which combines asset discovery; security standards; best-practice templates and baselines; vulnerability assessment; prioritization; remediation; and patch management. BigFix's Vulnerability and Security Configuration Management Suite also integrates with Cisco's Network Admission Control and Microsoft's Network Access Protection initiatives. Other leading vendors offering security-configuration-management suites include Altiris, LANDesk and Symantec.
The opportunity is great for solution providers in this market. Many companies, says Tom Murphy, director of enterprise marketing at Symantec, need help simply identifying and classifying their assets. "Customers are always changing and adopting new applications. Some have thousands and thousands of services, and they just can't get their hands around how many servers they actually have deployed, or the functional relationships between servers," he says.
That's why, when helping companies get a grip on their rapid change and configuration management, the best way to start is to get a solid asset-and-configuration baseline to help companies develop an ongoing change-management process. "It's all about coordinating asset-and-configuration management, business-continuity plans, determining the customer's current level of risk--and then developing a configuration and security-lifecycle-management plan accordingly," Plexent's Brown says.
Increased regulatory and compliance demands from Sarbanes-Oxley and HIPAA also are increasing the need for many industries to better manage and secure their assets through more mature configuration-management initiatives than they've used in the past. "SOX has become a prevalent driver of configuration management because it addresses IT change control of systems," Brown adds.
NEXT: The SMB opportunity.
While security-configuration management often conjures up a vision of large enterprise deployments with hundreds of servers and thousands of desktops, small businesses, which have become just as dependent on technology as large corporations, often lack the knowledge and resources to keep those systems properly configured and secure.
"PC availability is becoming even more important for small businesses, many of which now operate in knowledge-based industries. If their systems go down, their business goes down," says Ann Westerheim, CEO of Ekaru, a Westford, Mass.-based solution provider that focuses on SMBs.
"The reality is that not only do they not have automated tools, they don't have consistent platforms or policies in place. They're running 10 PCs with 10 different types of antivirus solutions," Westerheim adds. "They need help standardizing their systems, establishing policies, and bringing automation to their infrastructure to ensure that every PC is up and running," she says.
The need for those processes and a higher level of automation is especially strong for large businesses that need to consolidate the plethora of point products used for managing configurations and system vulnerabilities. This demand will continue to drive consolidation in the market, as large configuration-management companies such as BMC Software, CA, Hewlett-Packard and IBM/Tivoli are likely to acquire smaller vulnerability-management security vendors, Williams says. Last March, lifecycle-management firm Altiris acquired Pedestal Software for its security-management applications, and Internet security firm Symantec recently acquired vulnerability management and IT-compliance software makers BindView and Relicore to help round out its data-center-management and security offerings.
"Historically, this has been a point-product game," says Brian Dye, director of product management at Symantec. And the demand to be able to handle the entire configuration-management lifecycle from one management suite is being answered this year. "Organizations want to manage, fix and prevent configuration errors from a single user interface, and we're taking product steps to do that," Dye says.
The demand for solution providers that can help organizations design, implement and maintain an ongoing security- configuration-management program is clear. The growing number of software vulnerabilities discovered each week; the sophistication of spyware, network and application attacks; and the continued mix of notebooks, PDAs and other devices accessing networks, means this is an opportunity that isn't going to vanish anytime soon.
"We don't have to sell organizations on the fact that they have to get a better grip on change and configuration management. They've already come to that conclusion," Murphy says. "Ask operations people if they'd gamble their careers on whether they understand the configurations and dependencies of their systems, and most would reply 'No.'"
NEXT: Getting a knack for Cisco's NAC.
The ultimate vision of Cisco's Network Admission Control and Microsoft's Network Access Protection initiatives is to provide network and system-configuration control on the fly. If a system isn't up to policy or presents a risk, it can be quarantined or remedied before access is granted. An entire security and configuration-management ecosystem, consisting of dozens of vendors that manufacture patch-and-configuration management, anti-malware and vulnerability scanners, is making their solutions compatible with these systems.
This enables solution providers to design so-called best-of-breed applications within a vulnerability and configuration-management framework to help companies better enforce policies in near real-time. For example, a company could use Qualys' QualysGuard vulnerability scanner to vet any untrusted systems that attempt to gain access to an NAC-enabled network. If the scanner finds the system to be vulnerable, that system could be quarantined until the problem is fixed.
"Configuration management is a critical portion of NAC," says Richard Ptak, an analyst at Ptak, Noel & Associates. "You have to be able to automatically monitor, enforce and change configurations."
Alex Thurber, director of security worldwide channels for Cisco, says most NAC deployments have so far been focused on enforcing the security configurations for remote access and smaller internal pilots. "If you're a financial-services firm with 100,000 endpoints, you're not going to start out with a full NAC deployment," he says.
But as companies and the channel get more comfortable with the technology, and more devices and applications become compatible, expect to see companies adopt the architecture to more broadly enforce configuration and security compliance throughout their organizations. "When it comes to SOX and HIPAA enforcement, companies can establish and enforce their policies and report back to their regulators the tight controls they have in place," Thurber says. "While this isn't happening now, conversations about this capability are certainly under way."