Manage Learn to apply best practices and optimize your operations.

Security configuration management: Advanced patching

Applying new patches every Tuesday is not enough to keep your company secure. SMBs must implement security configuration management to increase security and streamline management.

For many small and medium-sized businesses (SMBs), security means putting a firewall in place and doing the requisite patching required every month after Microsoft's "Patch Tuesday." There are many tools that can automate and manage the patching process, but the tools are not enough.

Keeping an endpoint secure involves more than making sure it is adequately patched. IT professionals at SMBs also need to make sure the data on the device is protected and adheres to the organization's policies relative to authorized applications. For instance, you may want to turn off Skype or not allow users to use Web mail at work or during certain times.

More on patching
Firm eases pain of patch management for mobile workers

Seven steps for a patch management process: Check IT List
First-generation patching products didn't give the level of granularity needed to enforce these policies. They were all about scanning a machine, making sure the latest patches were applied and moving on. A new offering called security configuration management (SCM) is maturing quickly and can address many of these issues.

SCM products manage the lifecycle of the desktop and integrate a lot of traditional desktop management functions, like software distribution, patching and asset management.

There will be more functionality making it into the SCM agent. Antivirus and antispyware functions are obvious additions to provide more leverage and ease the burden of managing all of the disparate agents running on the typical device.

Ultimately, you are trying to both increase the security of your environment and streamline the management. Sounds like having your cake and eating it too? It is, and for that privilege you will pay -- probably through the nose. But as the markets mature, prices will come down, as they always do.

So who are some of the players in this market? Per usual, you have the specialists and the aggregators, who have bought their way into the market. The specialists include BigFix Inc., Configuresoft Inc., Shavlik Technologies LLC and PatchLink Corp. Some started with patching and have grown capabilities, while others started from the standpoint of systems management and sort of ended up doing security. No matter, these companies will be rolled up sooner, rather than later, as Big IT (Microsoft, Hewlett-Packard Co., IBM, CA) realizes it's sick of giving money to Big Security (Symantec Corp. and McAfee Inc.).

Speaking of Big Security, both of the antivirus leaders have bought companies to get exposure to security configuration management. Symantec has had a number of products that solved a portion of problems (Enterprise Security Manager and BindView) and recently bought Altiris Inc. to get a broader, more robust endpoint management capability. McAfee bought Citadel Security Systems Inc. and Preventsys to integrate their capabilities into its Total Protection suite.

Of course, you know what they say about acquired technology. Unless it's actually integrated, it's not really that useful. So we are going to continue to see a lot of evolution and integration relative to endpoint security. It's ridiculous that you need eight to 10 agents to get the job done, so consolidating these capabilities is a must, and it's happening -- slowly, but surely. To net things out, security configuration management is yet another feature of a strong endpoint security platform.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about The Pragmatic CSO at, read his blog at, or reach him via email at mike.rothman (at) securityincite (dot) com.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.