A' Is For Audit-Proof

A' Is For Audit-Proof

Stephen McMurray. InformationWeek. Manhasset: Sep 1, 2008. , Iss. 1200; pg. 41, 4 pgs

Abstract (Summary)
The 63% of respondents to the 2008 Strategic Security Survey say their organizations are subject to government or industry regulations. A key piece of compliance is enforcing policies through systems like Active Directory but once set, it's difficult to ensure that rules remain effective -- rapidly evolving technology means infrastructure modifications routinely outpace IT's ability to manage change, leading to gaps between official corporate policy and reality on the ground. Vendors claim new Active Directory compliance tools can gauge policy effectiveness and add value for both IT and the business. Active Directory policy auditing tools fill a niche in the broader category known as governance, risk management, and compliance, or GRC, software. The decision to implement a new utility must be driven by a structured risk management approach. A guiding principle that won't let you down: Policy comes first. The trick is to strike a balance between required business functionality and optimum security settings.

[Headnote]
Could you benefit from an Active Directory security compliance assurance tool? Sure, but policy comes first. By Stephen McMurray

HOW CONFIDENT are you that your systems comply with corporate security policy? Confident enough not to sweat an audit? This isn't a rhetorical question for the 63% of respondents to our 2008 Strategic security Survey who say their organizations are subject to government or industry regulations.

A key piece of compliance is enforcing policies through systems like Active Directory, but once set, it's difficult to ensure that rules remain effective-rapidly evolving technology means infrastructure modifications routinely outpace ITs ability to manage change, leading to gaps between "official" corporate policy and reality on the ground. Add telecommuters and branch offices to this lack of visibility and you have a management nightmare.

The first step to get back on track is to align security guidelines with regulations and deploy Active Directory Group Policies to enforce configurations ... no small feat. Once that's accomplished, IT must still demonstrate compliance. Just defining necessary settings isn't enough-auditors expect you to prove rules are correctly applied.

Vendors claim new Active Directory compliance tools can gauge policy effectiveness and add value for both IT and the business. Misconfigured devices are more likely to have security problems that expose data to exploits or internal misuse. And a relatively small percentage of workstations -usually those with nonstandard settings that allow the user too much control-tend to generate a disproportionate number of virus and spyware incidents.

There's certainly a case to be made for any technology that promises to streamline compliance costs and measurably improve security But as with most compliance software, it's difficult to determine true value amid the clamor of hype. Not all products are created equal, and the last thing you need is another point tool that fails to deliver.

Don't get us wrong-there's value to be found. But to avoid pitfalls that threaten to leave you with a false sense of security and no tangible improvement, lay policy groundwork and examine current capabilities before going shopping.

BIG SELLERS

Active Directory policy auditing tools fill a niche in the broader category known as governance, risk management, and compliance, or GRC, software. From a vendor perspective, GRC products have proved to be a steady source of revenue growth-one that's relatively resistant to the budget cuts that go hand-in-hand with adverse economic conditions. Not surprisingly, then, vendors are moving to strengthen their offerings and rebrand existing products as "compliance solutions." Unfortunately, this fragmented market remains in constant flux as developers scramble to keep up with new technologies. Feature sets vary widely and no two products are alike, making comparisons difficult.

Typically, the big players-think CA, IBM, Novell, Sun Microsystems, and Symantec-push broad suites that aim to meet compliance needs across the enterprise, but Group Policy isn't always addressed. Some packages leave Group Policy management to native tools, while those that include some form of endpoint policy auditing often lack adequate depth. Smaller outfits offering tools specifically for Active Directory tend to provide more comprehensive features in the Group Policy arena; these providers include BigFix, FullArmor, NeUQ, NetPro, and Quest.

Our take: If you're in a large organization with a diverse environment, overarching suites can reduce your product count, but you'll still be forced to supplement them in weak areas. If you just need to plug Group Policy compliance gaps, point tools offer better value.

WAIT... DON'T I HAVE THAT ALREADY?

As larger vendors recognize, Microsoft's Active Directory provides built-in features to enable centralized management of endpoints. So why can't Group Policy, the native AD answer to policy and configuration management, get the job done?

Group Policy is a powerful tool for deploying policy settings-Microsoft has exposed thousands of configuration options in a relatively easy-to-use GUI, and hundreds of additional settings arrive with each new OS version. The underlying technology is fairly robustdefined controls can be applied to users or devices and refreshed at regular intervals.

But any number of issues can block proper Group Policy application, ranging from inadvertent corruption of local security policy files to intentional alteration by those trying to circumvent controls. These events are recorded locally on the desktop or server, so unless you're collecting logs and centrally analyzing them for errors-not likely on workstations, given the bandwidth and overhead required-IT is none the wiser. And event logs are useful only for detecting application problems; they won't validate control settings or report on deviations.

Complexity also is a concern. As policy counts increase, it's easy to make configuration mistakes, either in the policies themselves or in the priority ordering and inheritance that come into play as multiple layers of policies are applied.

"Remember that room in your house when you were growing up where there were two light switches that controlled the same light? One of the switches was always down and the other one was up, and it always felt weird to push the one that was up back down to turn the light on," says John Abraham, CEO of security auditor Redspin. "Group Policy settings in Active Directory are just like that, only there are hundreds, sometimes even thousands, of possible switches. How do you know if the light is on?"

Add another dose of complexity to the mix if you want your policies to include settings for many nonMicrosoft applications. Most organizations are still running the Windows 2003 version of Group Policy, which lacks the ability to easily specify custom registry settings without developing templates.

Help for the most glaring omissions arrived with the release of Windows 2008. One key addition is Group Policy Preferences (GPP), which expands the available configuration options and plugs many of the gaps in older versions, such as the inability to manage registry settings without having to create custom administrative templates. GPP represents the latest iteration of the PolicyMaker technology acquired from DesktopStandard, a leader in Group Policy extensions until it was snapped up by Microsoft in late 2006. Thankfully, the powerful features of PolicyMaker survived the transition intact: Niceties include an expanded set of predefined configuration items that target pain points, such as local account passwords, power options, printers, drive mappings, and environment variables. The best part? It's practically free, and you don't have to upgrade your AD domain to Windows 2008 to begin taking advantage; all that's required is a single Windows 2008 server or Vista workstation, the Remote Server Administration Toolkit, and a small client update deployed to your existing machines.

Advanced Group Policy Management (AGPM) ups the ante with change management, rollback, and improved reporting. AGPM was ported from GPOVault, another Desktopstandard product. Unfortunately, Microsoft has enlisted the tool in its effort to drive adoption of Windows Vista -currently, the only way to get this compelling addition is through the Microsoft Desktop Optimization Pack with Software Assurance. If you can satisfy the licensing requirements, we highly recommend taking advantage of AGPM.

Key areas where even the new Group Policy tools don't measure up: auditing, endpoint validation, and support for non-AD computers. Sporadically connected workstations, such as those used by roaming sales staff or home-based VPN users, also present a challenge, since settings aren't always applied in a timely manner. Reporting is limited to single workstations and must be manually generated for each device.

The upshot: Group Policy can be a powerful weapon in your compliance efforts, but it won't satisfy all requirements.

MANAGE RISK, NOT TOOLS

As tools for Active Directory policy compliance proliferate, effective management will become a challenge. Brian Hayes, CTO of auditor Redspin, says he's seen IT groups buy so much monitoring and reporting gear that they can't manage it. "Sometimes it has the opposite effect of what was intended," Hayes says.

The solution? Apply risk management principles to guide purchasing. The decision to implement a new utility must be driven by a structured risk management approach. Identifying how a tool fits into your portfolio will help avoid "point-product overload syndrome," a malady in which IT administrators become buried in an unmanageable tangle of poorly integrated consoles that provide overlapping or redundant functionality. Maintaining some number of management suites is inevitable, since no single product can address all compliance issues, but proper risk classification can help ensure that your toolbox isn't out of balance.

A guiding principle that won't let you down: Policy comes first. Whether you decide to purchase a suite or use in-house resources, don't overlook higher-level governance issues. Even the best tools add little value if they're not backed up by well-designed security policies that are supported by management. Unfortunately, odds are that you have work to do in the policy area: Our 2008 Strategic Security Survey found that 54% of organizations still don't have security policies in place.

If you aren't there yet, put away your checkbook for now-you need to back up and develop the necessary policy framework. Once your security policy has been defined, it's time to flesh out the technical settings that determine how the policy will be implemented. Be sure to take full advantage of Group Policy features during this process; many organizations don't. If you want measurable improvements in your realworld security posture, you'll need to go much further than simply defining a Screensaver time-out value and applying basic password policies.

CALM THE STORM

There's no way around the fact that hardening servers and workstations will impose limits on user freedom. The trick is to strike a balance between required business functionality and optimum security settings. If your new configuration will significantly increase restrictions on workstations, prepare for the inevitable backlash by confirming management buy-in and clearly mapping technical controls to policy requirements. Risk management principles help here by providing a quantitative way to determine which controls are appropriate.

As for gaining funding for tools, that likely won't be a problem if you're complying with a mandate, but due diligence is still required to get the most from your compliance dollars. Don't neglect the big picture: Map compliance gaps across your systems to determine where the tool fits in your overall risk management strategy. IT shops not under the compliance gun may have a harder time getting approval-CFOs are rightly well-immunized against constant dire predictions of security breaches-so employ a structured approach to demonstrate how your selected product addresses quantified risks. Avoid fuzzy ROI calculations based on hypothetical worst-case scenarios: If management perceives your argument as a bit of a stretch, you'll lose credibility.

Tools alone won't fix your Group Policy compliance woes. But with the proper foundation, the right product can prove valuable in the effort to satisfy auditors and improve endpoint security. While meeting compliance obligations is a worthy goal, gaining confidence that policies are effectively protecting your assets is even better.