Most business customers are behind the eight ball when it comes to meeting or even understanding the technical
requirements needed to comply with the newest government laws for security and privacy.
There are many mandates as a result of new legislation, such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, and others. Companies know that they must comply with these new laws, but exactly what they need to do is not always clear.
Most software available today barely scratches the surface when it comes to helping customers get their arms around these problems, but at least they are a start. To that end, at Microsoft's TechEd conference next week, at least two vendors will release software that tackles aspects of policy compliance.
BindView Corp. of Houston will release Compliance Center, which is software that helps to synthesize the reams of data that IT managers collect across their enterprises and sums up exactly which systems are out of compliance with rules that are set by the company.
Configuresoft Inc., in Woodland Park, Colo., will release a version of its software that helps prevent security vulnerabilities by rolling back server and workstation configurations to preset standards when they are inadvertently changed.
Charles Cresson Wood, of InfoSecurity Infrastructure Inc., a Sausalito, Calif., security consulting firm, said that the state of policy compliance in business today is "abysmal."
"So much needs to be done," he said. What is needed is some kind of statement that clearly defines what must happen in order to secure information systems. That statement, somehow, has to devolve into code, he said.
Policy compliance software today falls into two general categories. Companies like Symantec Corp., NetIQ Corp. and BindView build products that assess vulnerabilities. The second category is patch management. There are numerous companies in this market, including Ecora Software Corp., Altiris Inc., and New Boundary Technologies Inc. Configuresoft Inc. captures information in a database so that, when a question arises, the customer can sift through the data for an answer.
Experts say that the problem with legislation such as HIPAA is that there is nothing that tells you what you need to do to your computing platform.
"[HIPAA] just tells you to evaluate your entire platform and do a risk analysis," said Pete Lindstrom, research director at Spire Security, in Malvern, Pa. "Vendors are telling customers they need to buy certain products, and, in some cases, they are oversubscribing."
IT executives will take all the help they can get. Royal & SunAlliance USA, a Charlotte, N.C.-based insurer, has done plenty to change its security procedures. IT executives have locked down desktops so they can more tightly control licensing compliance. The company also forbids instant messaging chat to pass through the firewall.
Royal & SunAlliance also uses software to help examine security logs. But the logs collect so much data that it's almost impossible to cull pertinent information about who is doing what and what performance and scalability are looking like, said Roger Thibodeau, chief network architect at the company.
Thibodeau said that policy compliance software should look like the dashboard of a car; after data is sorted, the most critical information should be placed on one or two screens. If something has a red light, the IT executive can dig a little deeper. "I see a lot more of these products emerging, and we are paying more attention to them," Thibodeau said.
Spire Security's Lindstrom said that the real value of software tools is their ability to automate manual processes across systems. "It's not what vulnerability will you catch right now but the ability to send something out to 3,000 machines at the same time," he said.
"The obvious [return on investment] here is automating a manual process, gaining insight into a problem and fixing it."
FOR MORE INFORMATION