The CORES of Compliance BY TOM DIAMOND, President, New Boundary Technologies

IT departments are spending more time and resources on compliance initiatives then ever before. The need to comply with multiple industry, government, and corporate data security requirements is driving increased interest in best practices and technologies that can help IT implement repeatable compliance processes and create sustainable compliance environments. According to the SANS Institute, the world's largest information security training and certification organization, IT departments should be focusing a good share of their time and attention on automating system configurations. That's because the SANS Institute ranks the following as their top two best practices for preventing IT security risks:

• Configuring systems for maximum security while allowing full business functionality; and
• Using automation technologies to ensure systems remain securely configured.

Implementing data security best practices provides a consensus framework for leveraging the processes and technologies that lead to corporate and regulatory compliance, but it is important to note that best practices are a means to compliance only. Likewise, no single technology or product can deliver compliance out of the box. But by leveraging technologies and methodologies that automate configuration management, IT departments take a giant step toward creating sustainable compliance environments.

By default, few if any computer systems, and especially workstations, are configured for strong data security. Even when new computers are provisioned with secure configurations, they are still dynamic systems subject to random configuration changes that can quickly render them insecure. But technology solutions that automate security configuration management, especially those based on automated security policy enforcement, can give IT departments a powerful edge in building a sustainable compliance environment.

Computer security policies are rules that computers must follow. Policies include configurations and procedures for achieving defined security levels related to password management, group rights, file access, server configuration and a host of other functions.

Computer security policies can come from software vendors like New Boundary Technologies or Microsoft, or from IT security organizations like the National Security Agency (NSA), National Institute of Standards and Technology (NIST), United States Computer Emergency Readiness Team (US-CERT), and the SANS Institute.

Security policies can range from the very simple ones that control a single configuration setting (such as disabling Windows Update), to complex 'best practices' policies (also known as security templates or lockdown guides) that affect dozens or hundreds of configuration settings. Because security policies help to standardize system configurations, they provide an organized framework for managing security configuration settings across a network. They also provide the efficiency, flexibility, and extensibility required to make enterprise-wide security configuration management not only possible, but cost effective as well.

When an IT security configuration template is applied to a system, a substantial reduction in vulnerability exposure can be achieved. In fact, testing by the NSA and NIST has shown that they will reduce the vulnerabilities on systems from 80% to 90%. That means that all of the perimeter security measures employed by an IT department only address 10% to 20% of the vulnerabilities potentially exploited by malware and malicious activity.

This is where the proper application of computer security policies provides a significant increase in security. Viruses and spyware exploit the software defects in applications and misconfigurations of the operating system. While good anti-virus and anti-spyware tools are required to detect and remove malware, those tools are not designed to correct problems in configuration areas such as insecure accounts, unnecessary services, file permissions, or registry settings. In addition, they are essentially reactive measures rather than proactive ones.

Automated security policy management is a relatively new technology that delivers significant value as a key component of an overall security strategy empowering security compliance. As the level of threats to network security continues to rise, prudent organizations are adopting appropriate technologies to minimize the risks associated with vulnerability exploits. Just as firewalls and anti-virus applications have become a mainstay of protecting organizational information and computing assets, an automated security policy enforcement solution that enables proactive security configuration management should be considered an essential component of the overall security measures organizations employ.

When considering the role of security policy management as an enabler of proactive compliance, it is helpful to consider the various IT functions involved. In simple terms, you can think of them as CORES of security compliance:

• Configuration management employing technologies that automate and streamline security administration of workstations and servers.
• Offline enforcement of security policies to protect systems when they leave network perimeter defenses.
• Reporting and monitoring of configuration status to maintain audit trails, deliver detailed insight into compliance states, and document security compliance to management and auditors.
• Easy policy management processes and technologies that can be adapted to encompass emerging and changing compliance requirements.
• Systematic updating of security policies and configurations to ensure compliance levels.

Configuration Management
Computers are dynamic systems subject to random changes which can leave them vulnerable to exploits, and potentially expose any sensitive data they store. Because networks have become the dominant computing paradigm in organizational settings, they are typically configured more for easy communication between systems than for enhanced security. Configuration management technologies provide the foundation for locking down systems that store and access confidential and sensitive data. A simple analogy would be to think of network perimeter defenses as the walls and moats of a castle, while configuration management technologies and tools provide each system with its own suit of armor to protect it from potential exploits that penetrate perimeter defenses, or originate inside the perimeter.

Offline Enforcement
Laptops that leave the network and its perimeter defenses present a special security configuration challenge. And the proliferation of laptops used by an increasingly mobile workforce has brought the issue to the fore for many IT departments. A sound compliance strategy must address these concerns by implementing processes to monitor systems for unauthorized configuration changes, and automatically remediate the system when out-of-compliance states are discovered. With so many highly publicized security breaches involving laptops, this area of system level security is especially important for compliance.

Reporting and Monitoring
Reporting begins with actively monitoring system configurations against assigned security policies, and delivering real-time insight into compliance states. This real-time monitoring provides the visibility into configuration states that help IT determine compliance levels and make necessary adjustments. Active monitoring should include alerting mechanisms that notifies administrators if certain configuration parameters have changed. In addition, it should provide reports like administrative audit trails and compliance histories, giving IT everything it needs to document and demonstrate security configuration compliance to management and auditors.

Easy Policy Managementt
Traditional methods of implementing and managing security policies are highly manual and labor intensive, and can require a great deal of specialized training that many IT departments simply don't have. Leveraging automated configuration and remediation technologies gives IT departments the right tools to simplify and streamline policy management. Features that can ease policy management include intuitive administrative interfaces, dynamic computer grouping by configuration trait and organizational structure, drag-and-drop policy assignment, and pre-packaged security policies based on Microsoft, NIST, and NSA security templates. A policy editor is important as it allows administrators to customize existing polices and create new security policies that reflect the needs of their unique network environment.

Systematic Updates
Because compliance is a journey and not a destination, IT departments need to be flexible enough to adapt to changing compliance requirements and adopt methodologies for staying ahead of the compliance curve. Proactive IT departments can ease compliance pressures by implementing processes and adopting appropriate technologies for systematically updating security policies and system configurations as regulations and corporate standards evolve.

A comprehensive data security strategy is multi-layered, and protects information from the outside in via network perimeter defenses, and from the inside out via security configuration management. This approach addresses threats from both outside sources like hackers, and from inside sources like malicious employees or even from simple user errors. For IT departments, it is a delicate balancing act that must simultaneously restrict and allow access to information, systems, and resources. Finding that balance, and finding ways to automate the configuration of systems, is an important step in creating and maintaining a sustainable compliance environment.