Analysis: Security And Configuration Solutions Converge

When it comes to IT security, the typical defensive toolsets garner all the attention: firewalls, antivirus and antispyware apps, as well as intrusion-detection and prevention systems. While they all play critical roles in defense, the most crucial processes and technologies needed to keep systems secure and humming along are those associated with continuous security-configuration-management programs.

"When you consider the viruses, worms and breaches that hit companies, you'll see that it's not a technology problem. It's a process problem that centers on change and configuration management," says Gordon Brown, president of Plexent, a Dallas-based consulting firm that specializes in IT-service management.

Considering the fast pace of change and the increased complexity of networks, applications and data centers, implementing an ongoing security-configuration-management program is no easy chore for organizations--large or small. In addition, the muddled product landscape makes security-configuration management a golden opportunity for solution providers.

Gartner security and privacy analyst Amrit Williams backs up Brown's observation, and says that roughly 99 percent of all successful external attacks exploit known vulnerabilities or avoidable system-configuration errors.

To plug those holes and keep systems in line with security policy, companies and solution providers have historically been forced to rely on a handful of point products that didn't work together or readily share information: patch-management tools, vulnerability scanners and configuration-management suites, among others. That is now rapidly changing as configuration and security-management tools converge.

For example, vulnerability and security-configuration-management software manufacturer BigFix recently unveiled its Vulnerability and Security Configuration Management Suite, which combines asset discovery; security standards; best-practice templates and baselines; vulnerability assessment; prioritization; remediation; and patch management. BigFix's Vulnerability and Security Configuration Management Suite also integrates with Cisco's Network Admission Control and Microsoft's Network Access Protection initiatives. Other leading vendors offering security-configuration-management suites include Altiris, LANDesk and Symantec.

The opportunity is great for solution providers in this market. Many companies, says Tom Murphy, director of enterprise marketing at Symantec, need help simply identifying and classifying their assets. "Customers are always changing and adopting new applications. Some have thousands and thousands of services, and they just can't get their hands around how many servers they actually have deployed, or the functional relationships between servers," he says.

That's why, when helping companies get a grip on their rapid change and configuration management, the best way to start is to get a solid asset-and-configuration baseline to help companies develop an ongoing change-management process. "It's all about coordinating asset-and-configuration management, business-continuity plans, determining the customer's current level of risk--and then developing a configuration and security-lifecycle-management plan accordingly," Plexent's Brown says.

Increased regulatory and compliance demands from Sarbanes-Oxley and HIPAA also are increasing the need for many industries to better manage and secure their assets through more mature configuration-management initiatives than they've used in the past. "SOX has become a prevalent driver of configuration management because it addresses IT change control of systems," Brown adds.

NEXT: The SMB opportunity.