Automation helps IT gain solid footing on the path to compliance

by Steve Ragan - Aug 26 2008, 17:20

In the office, IT employees are vigilant, constantly watching screens flicker and network monitors report on activity. And there are those in IT who spend the first part of the week taking stock of the network computers, and the system patches they need, for deployment that coming weekend. There is a company, New Boundary Technologies, which wants to remove that headache.

If you have worked in IT, you know that you will spend a good deal of time patching systems already in use, and setting systems up for deployment. It’s the “dirty job” of the IT department, no one wants to be the person who updates images and manages slipstream ISOs. However, it is something that must be done. Patch management is critical to the security of the network. Over the last few years however, patch management has also been a part of the focus for various compliance regulations.

Take a network with 300 users, for example. Some of them are local, others roam the country as a part of sales and support teams. IT has to manage them all, from the CEO who installs strange things on his or her laptop, to the guy in marketing who thinks he needs every toolbar in existence. To add some spice to the management job function, now IT is the keeper of compliance. As IT managers who have faced compliance audits will tell you, missing patches and policy enforcement play a key role in getting a compliant network in place.

While researching compliance issues and mitigations and solutions for various articles, I came across New Boundary Technologies.

At the time, the company was noted in a vendor list to be researched later. Then, after a series of compliance articles and news articles centering on patching and policy enforcement, the PR department for New Boundary Technologies contacted me. I was able to chat with Tom Diamond, the company president, and learn a little more about them.

What follows is that conversation and the information gleaned on the company.

There are three distinctive tools that New Boundary offers: Policy Commander 2.0; Prism Patch Manager; and Prism Asset Manager. Each one offers something unique; however, combined they can automate many of the routine tasks in IT, saving time and energy in the department, and allowing the IT team to focus on other projects.

The Tech Herald (TTH): What sets you apart from other compliance vendors and patch management vendors?

Tom Diamond (TD): New Boundary Technologies has a strong focus on the needs of the customer and is committed to providing the highest quality solutions and customer service available. This commitment is reflected in our software, which we design to be easy to learn and easy to use to hold down the total cost of ownership by virtually eliminating training and consulting expenses.

Our software delivers a high level of automation so IT departments can eliminate manual processes and drive new efficiencies throughout their operations, extending their savings and allowing them to dedicate IT resources to more strategic activities. The high level of automation in our solutions is made possible by innovations like our exclusive Smart Update technology and channel architecture.

As a company, we have pioneered many innovations in managing changes to Windows systems and automating the processes involved, and we leverage that expertise in every aspect of our solutions.

TTH: Focusing on Policy Commander for a second, there is some positive commentary on it from 2006. Now, two years later, what’s different?

TD: We strive to continually improve our products based on the growing and changing needs of our customers and the market. With Policy Commander, that’s been reflected in a more intuitive and user-friendly interface. We’ve integrated our Configuration Groups technology to deliver greater administrative flexibility and enhance automated remediation capabilities based on administrator selected parameters.

We’ve improved administrative security and integrated our software packager so administrators can extend policy enforcement to include installing or uninstalling software as part of a compliance step. We’ve made policy management more granular, and made reporting more comprehensive so it’s easier for administrators to demonstrate real-time security configuration compliance to management and auditors.

TTH: In your Policy Commander FAQ, you cover some of the compliance regulations that you can help manage (PCI, GLBA, HIPAA, SOX). Exactly what are you doing differently from any other vendor that offers this level of regulatory coverage? How do you manage and handle the data, for example?

TD: One of the primary differentiators of Policy Commander is its ability to automatically remediate Windows configurations. Policy Commander detects variances from assigned security policies in real-time, and automatically remediates those variances, reverting a system to its approved security configuration state to enable continuous enforcement and conformance.

We also deliver comprehensive libraries of security policies specifically compiled for regulatory measures. And we offer security guides based on consensus best practices and authoritative sources that help IT departments prioritize and plan their compliance efforts, and provide a methodology for implementing their strategies and processes.

TTH: Another product you offer is Prism Patch Manager. How is this different from a basic NAC product that manages patch compliance? What software is covered? You list over 15,000 patches that are in the repository, how do you add more software? And can customers add applications to be monitored?

TD: Prism Patch Manager automatically secures Windows systems by managing the entire patching process, from discovering vulnerabilities, to acquiring and testing patches, to deploying the patches throughout the organization. Prism Patch Manager’s vulnerability assessment technology delivers the most accurate threat detection available. Its comprehensive patch repository, one of the largest in the world, contains more than 15,000 operating system and application patches. And Prism Patch Manager’s agent-based architecture protects mobile devices like laptops when they are disconnected from the network.

TTH: Patching is important to network security, how often do you see networks with missing patches?

TD: It’s not uncommon for organizations using manual or OS-based patching methods to have missing software patches. Even those using dedicated patch management solutions can experience a gap in patch level compliance because patched systems can become unpatched and some solutions lack a mechanism for maintaining specific patch compliance levels. And some organizations stop short of comprehensive software patching by focusing only on their Windows operating systems and other Microsoft applications, leaving their systems open to exploits from vulnerabilities in other software products they use.

TTH: Why do you think that most of these compliance issues, for example PCI or HIPAA, are so hard for companies to maintain? Companies which were certified under PCI, for example, still suffer data loss. Why do you think that is?

TD: Compliance is a continuous journey, not a destination. There’s a temptation to view compliance as a project that, once completed, no longer needs to be addressed at an organizational level. Compliance is a complex process that encompasses the entire organization, which is why you see many organizations institutionalizing compliance by appointing compliance officers to oversee the efforts.

It’s also important to remember that no single solution can deliver full compliance; it requires a wide ranging strategy and participation by a variety of stakeholders. Compliance needs to be continuous, not just periodic, and that’s why automating compliance processes like security configuration management are so important.

Also, while compliance can dramatically improve data security it doesn’t necessarily guarantee it. But compliance initiatives do provide an organizational framework for improving data security to better mitigate the risks of data loss posed by technology and organizational vulnerabilities.

TTH: Something else that's a security issue, but rarely gets attention, is asset tracking. You are honestly one of the few companies that has this as a standard for your suite of software. How detailed is the tracking used?

TD: Prism Asset Manager is an important part of our compliance offering, and has the additional benefit of helping organizations maximize IT asset utilization to reduce operational costs. Prism Asset Manager utilizes a detailed, comprehensive knowledge base that accurately identifies every hardware and software asset in your environment, and how it’s all configured. It improves IT department and helpdesk efficiency by providing detailed system configuration information in real-time. Inventory is fast and comprehensive with minimal impact on bandwidth and user productivity.

TTH: Do you agree that internal policy can mitigate many of the recent security problems reported in the news? How do you explain that to a potential customer?

TD: Internal policy is an important component of an overall data and infrastructure security strategy. Organizations need to clearly communicate expectations for employee behavior and their responsibilities for protecting key information assets. But more important is limiting risk by adopting and leveraging technology solutions that lock down the computer systems that contain and access confidential data. Automated security configuration management is one of the most potent solutions available for eliminating the ways and means of compromising confidential data by employees, whether by accident or through malicious intent.

TTH: Who are your biggest competitors for comparison?

TD: Right now there really are no dominant players in the security configuration and compliance market. Different vendors are approaching the market in different ways with different offerings, and the market itself is relatively new, so the competitive landscape is very dynamic and fluid.

Around the Web