"It is impossible for ideas to compete in the marketplace if no forum for
  their presentation is provided or available."           Thomas Mann, 1896

In recent years, the nature of network security has undergone a dramatic change. It was not that long ago that efforts focused primarily on securing a perimeter around the trusted network. Security policy was implemented by control points that filtered traffic passing between trusted and untrusted networks. These control points typically focused on packet filtering via a firewall, a router access control list, or a combination of both. The advantage of this approach was the ease of administration afforded by the centralization of controls, assuring the enforcement of a security policy on traffic moving between zones of trust.

Today, that picture has become far more complex. The variety of ways to connect to IT networks and the mobility of modern systems have rendered the traditional view of the perimeter obsolete. At the same time, the increasing capabilities of applications — for the enterprise as well as for personal systems — expose today’s networks to vulnerabilities unknown only a few years ago. The direct integration of enterprise systems with those of partners, suppliers, and customers has made the definition and enforcement of security policy a multidimensional challenge.

On top of it all, regulatory compliance has become a central issue for the enterprise—and with it the need to go to greater lengths than ever before, to demonstrate the implementation of a network security policy, as well as to enforce it. The solutions offered for this array of challenges can be just as complex.

Firewalls have transformed from isolated control points to high-port-density systems interfacing with multiple networks and services. Network devices handle the flow of traffic on several different levels beyond the straightforward Layer 2 and 3 approaches of the past. Today, these devices include platforms that directly integrate networking and applications with security, such as those that combine the termination of Secure Sockets Layer (SSL) VPNs with application security and performance management. Without tools to simplify the definition of a coherent, enforceable policy throughout the enterprise, the complexity of security solutions themselves can pose risks as significant as any they seek to protect against.

These factors have contributed to the rise of policy management for the enterprise network as a discipline in its own right. In this study, Enterprise Management Associates (EMA) takes a look at the factors that have shaped this emerging trend, with a focus on Solsoft, a company that is providing significant value for its customers by delivering an effective, centralized approach to the management of enterprise IT security policy.

In interviews with Solsoft customers, EMA has identified critical aspects of policy management enabled by the Solsoft solution that demonstrate the high value of enterprise policy management:

• The ability to abstract a single implementation of security policy across a range of point solutions and vendor heterogeneity

• Graphical visualization that delivers the enterprise-wide view necessary for effective policy development

• Role-based tools for each phase of policy implementation, from policy design, to pre-deployment evaluation, to implementation in production, auditing, and review

• Reporting tools that help define a secure strategy as well as communicate compliance.

These cases illustrate the values that motivate the market for security and compliance policy management, and will be instructive for the executive or IT professional seeking to transform the risk-laden complexity of security tools into the manageable enterprise assets they are intended to be.

When they first emerged, security control points introduced a new type of functionality into the network. With the emergence of packet inspection techniques such as stateful firewalls and router access control lists (ACLs), network devices no longer existed only to move traffic, but also to introduce policy into network operations.

Traffic that did not conform to a security policy could be identified and handled in a way that fostered the concept of the trusted network. The boundary between trusted and untrusted (or less trusted) networks was defined by these control points, which staked out the security perimeter. The defining characteristic of that perimeter was the policy that governed the movement of traffic and network content that passed across its boundaries.

The originally simple concept of the network perimeter, whose virtues included the centralization of security policy enforcement at the control points, has become far more complicated in recent years. To a proliferation of different operating environments — personal systems as well as enterprise-class UNIX and its open source variants — has now been added the mobility of a wide variety of information processing platforms, from handheld devices and wireless phones to mobile computers and public kiosks.

The ways these systems connect to the enterprise have become equally varied. The emergence of commodity, high-bandwidth networks has extended to end users and small offices a level of network sophistication that in the past was the exclusive province of the data center. Virtual private network (VPN) technology enables even home users to access trusted internal systems with a level of performance only available previously on the internal LAN.

Wireless technologies further extend this availability — as well as the complexity of network management. These developments mean that network endpoints can be found virtually anywhere — even in the heart of the data center itself, when Web applications and server-based computing deliver a remote end-user environment. The ability to connect to a trusted network from virtually anywhere at any time, has transformed the traditional secure perimeter into something far more multidimensional than in the past — making the task of securing the enterprise network a far greater challenge than ever before.

Adding to this complexity is today’s emergence of the application-centric network. The convergence of synchronous IP telephony and multimedia with the same networks used for asynchronous data transport is but one example—and a powerfully attractive one for the enterprise, with its potential to reduce the cost of multiple network services. In other domains, multi-tier enterprise applications are evolving into Web Services, which are transforming traditional approaches to network transport. Concepts such as the Simple Object Access Protocol (SOAP) enable Web Services to define new means for applications to interact with each other.

These developments further blur the distinctions between systems, applications, and network infrastructure — distinctions already made hazy by such techniques as virtual LAN (VLAN) definitions, multi-protocol label switching (MPLS), and application-level VPNs based on SSL transport. The evolution of personal systems has made much of this transformation possible, as end users have become able to consume a wide variety of so-called “active content” thanks to the increased capabilities of personal systems and software.

These developments have not only extended a high degree of functionality to users everywhere — they have also introduced an entirely new range of threats. By combining a variety of attack techniques, worms and blended threats have leveraged the gaps resulting from a lack of coordination in enforcing a consistent security policy throughout the network. The increased risk of identity exploits means that precautions must be taken to secure network access from unauthorized sources.

The challenge of network security is not one of increased technological complexity alone. A growing number of regulatory initiatives means that the enterprise must now meet increased demands for tighter controls on information systems.

The penalties for non-compliance are a principal — if not the principal — motivator for enterprise compliance initiatives. For example, executives found culpable of making fraudulent certifications of compliance with the Sarbanes-Oxley (SOX) Act, affecting all U.S. public companies, face the possibility of years in prison as well as fines into the millions of dollars. Exploits of the confidentiality of healthcare information enforced by the Health Insurance Portability and Accountability Act (HIPAA) can result in fines as high as six figures in any one year.

While some initiatives such as SOX affect public companies generally, industry-specific regulation poses a disproportionately high burden for businesses in affected sectors. Among these, financial services are arguably the most regulated of all. In their case, a single noncompliance issue can result in multiple penalties from a number of overlapping mandates. This has caused financial information systems to become one of the most policy-sensitive environments in IT.

In response to this dizzying array of security and compliance challenges, information technology vendors have produced an equally staggering array of solutions. EMA estimates that there are currently more than 2000 vendors in IT security, each offering one or more solutions in several domains.

This has created its own burden for the enterprise: equipping both infrastructure and personnel with the right mix of solutions and expertise to meet the demand. For example, as firewalls have become more distributed and their port densities have increased, their rule sets have become equally dense and difficult to comprehend, as they segregate multiple networks, and even individual services from each other. This trend has accelerated as the internal segmentation of enterprise

networks along policy lines — motivated by compliance as well as by security — adds to the definition of network trust domains. These domains are further complicated by the introduction of techniques such as VPN and group policy management, defining policy relationships between partners, suppliers, contractors, and customers, as well as within the enterprise itself. Implementations of security policy may appear at virtually any level of the ISO network stack — especially when techniques such as IPsec VPN do not lend themselves inherently to finely grained definitions of security policy.

This is a far cry from the simplistic approach to the network perimeter of the past. Yet even then, the perimeter was not, in most cases, as simple in reality as the concept suggested. The concept of “defense in depth” expanded the implementation of security policy to secondary defenses such as router ACLs behind the firewall, and introduced techniques such as the “demilitarized zone” (DMZ) as a buffer for service proxies between trusted and untrusted networks. When the network was constrained to one, or at least a few, primary trusted networks, these concepts were manageable. Today, as the distributed enterprise network extends across continents and integrates directly with partners and customers beyond direct policy control, the complexity of network security itself actually poses a significant risk of its own.

Policy concepts and statements are typically articulated in a broad way, for the enterprise as a whole. The most obvious examples are the regulatory mandates that affect entire industries. Yet in its technical implementation, policy is typically put into operation in a vendor or device-specific way. Often, these implementations are not interoperable — even with the vendor’s own solutions in other domains. With over 2000 security vendors, each with their own portfolio of solutions, this situation is obviously untenable, whether for the small business forced to deal with increased complexity under tight resource constraints, or for the largest, most complex, or most distributed enterprise. The gaps in the enterprise security posture resulting from this situation expose the enterprise not only to increasingly sophisticated exploits — they also mean a high total cost of ownership (TCO) for the network, since the only way to manage comprehensive policy across this segmented landscape of solutions is to call on human expertise. Unless, that is, the management of security and compliance policy can be centralized and automated.

These are the factors that have given rise to the discipline of enterprise policy management for security and compliance. This emerging and increasingly visible domain reflects the values that have long driven enterprise management solutions generally: by reducing redundancies and increasing efficiency through the consolidation of multiple tasks across the enterprise — reducing the TCO of the network and freeing skilled professionals to do what they do best. Rarely, however, has the need for these values been as great as that necessitated by the fragmented complexity of network security and compliance.

There is no more effective way to describe what a comprehensive solution should deliver than to provide an illustrative example. Today, one of the most significant examples of effective enterprise security and compliance policy management can be found in the Solsoft solution set.

Centralized Policy Automation for Real-World Heterogeneity

At the highest level, a security or compliance policy is articulated as an overall statement embracing the enterprise — or its major divisions — as a whole. This means that, at its heart, enterprise policy management must abstract the requirements of the full spectrum of point solutions it supports, in a way that makes the centralized definition of policy deployable throughout the network.

Because security and compliance involves more than security point solutions alone, policy management must also embrace many vendors of network and system products, making the challenge of effective security management among the most complex tasks faced by the enterprise. The importance of the ability to synchronize security and compliance policy across this universe cannot be underestimated. Errors or gaps in the management of protections may directly expose the network to security and compliance risks, while the ability to deploy a swift and effective response to emerging threats may be vital, when new attacks move as fast as they do today.

The Solsoft Policy Server provides the centralized abstraction and deployment automation at the heart of the architectural approach that is becoming increasingly critical to network-wide policy implementation. The Solsoft Policy Server runs on Microsoft Windows, Sun Solaris, and Linux platforms, and is available in both Standard Edition and Enterprise Edition options, depending on the features and scalability needed. The Solsoft Policy Server translates policy statements into actionable information that can be transmitted to Solsoft Technology Packs, which interact directly with multiple point solutions of a number of vendors, including Juniper/NetScreen, Symantec, Nortel Networks, Check Point, and Cisco Systems, supporting the multi-vendor nature of many enterprise networks. This approach to integration helps make the swift and automated deployment of security policy a reality in today’s diverse network environment.

Effective Modeling

Modeling, an aspect of more mature management solutions, incorporates two vital capabilities:

• The ability to depict the entire enterprise in a meaningful way. Ideally, this depiction capability is directly linked to the ability to drill down to more detailed information, to the level of individual infrastructure points and point attributes.

• The ability to simulate the effect of changes on the managed infrastructure before they are deployed.

This reduces the risk of changes and assures that the intentions of changes will be satisfied. It also increases the effectiveness — and the business value — of IT, and at the same time provides more efficient control of risks to the security as well as the availability of IT.

In policy management, these characteristics are expressed in techniques that depict infrastructure relationships, providing guidance on where and how policy may be applied. Visualization also enables more intuitive access to policy tools for specific aspects of IT. More mature solutions may also be able to show the effect of policies on traffic and system interactions throughout the network, often before policies are deployed.

The intuitive graphic depiction of the network afforded by the Solsoft policy engine not only provides an effective visualization of the network and its policy relevant relationships, it also provides a graphical tool for the definition of policy in the Solsoft Security Designer.

Solsoft’s native modeling capability can simulate changes before they are deployed, enabling policy designers to work in a safe environment, with the freedom to vet policies before they are implemented in production.

Once analyzed in modeling, operations staff can deploy new rulesets with much higher confidence. Solsoft thus provides a key tool for uniting and harmonizing the functions of IT security and operations staff — an elusive goal not always realized by many enterprises.

Workflow and User Authentication

Fundamentally, security and compliance are about the actions of people. Security places controls primarily on the actions of malicious individuals, while compliance may focus on the control of both business activities and security risks. This implies that managed workflow tools are essential to effective policy management, since policy itself must be deployed in a trustworthy manner.

Workflows also help constrain the development and deployment of policy according to specific parameters, such as the verification of steps taken in policy creation, and the validation of changes. Workflow also enables policy management to be linked directly with user authentication, placing essential controls on the individuals and roles authorized to implement policy, and protecting policy enforcement from those who are not.

Solsoft Policy Server workflows provide three key values in enterprise policy management:

• They enable distributed management of policy development and implementation projects. Policies can be designed, tested, deployed, and — if necessary — rolled back in a controlled, stepwise manner. This enables different groups to design, test, and deploy policy in operation.

• They facilitate the role-based management of policy. Authentication and authorization are linked for different levels of privilege in policy management actions.

• They enable effective status tracking of the state of any policy management initiative. This not onlyhelps control the policy management process, it also helps in resource and staff planning and coordination.

Rollback Capability

While modeling and pre-deployment simulation of security and compliance policy can significantly reduce the risk of implementation, it is not always possible to foresee all possible effects in production. Even when all known considerations have been addressed before deployment, individual use cases may raise issues otherwise unknown either to security or operations staff until changes are put in place. As with other aspects of more mature management solutions, the ability to rollback changes can therefore be a vital aspect of enterprise policy management — particularly since the rolling back of policy changes may result in unanticipated security or compliance exposures.

With its ability to remember prior policy states throughout the enterprise, the Solsoft Policy Server enables this crucial rollback capability. Solsoft enables rollback of policy changes at a per-project as well as a per-device level. Per-device changes can be rolled back to analyze issues at the device level, which enables granular differential troubleshooting. This avoids the need to expose the enterprise to risk by rolling back large-scale changes, when all that may be required is analysis of a specific point issue. When policy deployment on a broader scale requires rollback for any reason, such as temporary operating policies to deal with an emerging threat, per-project rollback enables the reliable restoration of any previous version of global policy stored by the policy server. This controls risk and assures availability far more reliably than alternative manual or point-bypoint methods.

Manageable Centralized Reporting

Reporting provides a vital function of centralized policy management: the demonstration of policies in actual force. This capability is particularly significant for the compliance-sensitive enterprise, since it shows how high level mandates and policy statements are translated into actual implementation. Reporting provides two additional values significant to security and compliance management: it is a primary tool for auditing the current security or compliance posture, and it provides baseline information for strategic security and compliance planning.

The ability to provide reports on the current security posture tailored to the needs of a specific audience is a key aspect of security and compliance audit. Audit is necessary in order to establish a foundation on which an effective security or compliance strategy can be built.

It is also necessary for periodic updates of the strategic posture. In order to identify where strategy can be most effective, however, reporting for security and compliance audit must embrace the enterprise (or its significant subdivisions) as a whole. Reporting that can be both broad in scale and detailed in focus typically has the flexibility to be tailored to specific needs, such as those of IT operations staff, which may be substantially different from those of auditors or IT executives. This flexibility serves to help specialists identify the strengths of a strategy in their specific area of expertise, as well as areas where gaps exist in execution.

The Solsoft Security Reporter centralizes its flexible, role based reporting functionality not only to help deliver this broad view — it also reduces the complexity of report gathering, when multiple or complex points and solutions factor significantly in the enterprise environment. This reduces the burden of report creation and generation, and can help reduce the total cost of strategic efforts as well as compliance demonstrations.

In order to validate the value of the Solsoft policy management solution, EMA interviewed four Solsoft customers. These customers represented major enterprises, including an auto maker, one of the world’s most well-known names in media and entertainment, a significant vendor of controls for manufacturing and process industries, and an enterprise in the petroleum industry.

An issue common to all these customers was the distributed nature of each company’s IT infrastructure. Each has a worldwide presence, with significant centers of operation serving key geographic regions. This poses increased challenges of complexity, particularly in the coordination of complex IT networking with adequate security, while at the same time enforcing necessary compliance measures.

The most common challenge that Solsoft addressed for each customer was the increased complexity of current firewall deployments. With higher throughput, greater port densities, and more sophisticated capabilities, today’s firewall systems can themselves be deployed in complex or distributed architectures. Rule sets can become impenetrably huge, and are further complicated by the need to assure availability across multiple domains, both of networking and trust. These domains may be subdivisions of the enterprise itself, or they may represent boundaries with partners and customers. Without the centralized simplification of Solsoft policy management for these firewall environments, all customers felt that security policy would have been unmanageable.

These customers reported one or more of three things:

Some of these customers were also using Solsoft to manage additional security systems representing multiple vendors including Cisco, Juniper Networks (NetScreen) and Check Point. Supported systems included virtual private network (VPN) concentrators and intrusion detection systems (IDS). VPN termination points in particular can also be key points for security policy enforcement, as they segregate trusted from untrusted users and are the most direct interface with trusted connection points. One of the interviewed customers was using Solsoft to manage site-to-site VPN for interfacing with partner networks. IDS provides policy control as well as information that informs policy development and implementation, by detecting and often blocking recognized attacks and new attack signatures. The ability to use Solsoft to manage common policy across multiple security solutions and vendors was identified as a significant value for these customers. In the words of a representative of the auto maker, “We cannot operate our network without a security device manager.”

Some of the customers interviewed were also using Solsoft to manage security policy in non-security-specific devices, such as router ACLs — in one case, for over 200 sites. This not only supports the value of a single, centralized policy definition point, it also supports the best-practices principle of defense in depth. When a common policy can be deployed across multiple control points, it poses multiple barriers to exploit, and reduces the risks that may be associated with any one control.

Because of the distributed nature of these organizations, the ability to segregate roles among policy designers, pre-deployment test groups, and network operations was valued for its ability to distribute workflow among operational units that are often widely separated, geographically as well as in terms of responsibility.

This ability to distribute responsibilities and tasks also supports compliance-mandated separation of duties to protect against governance abuses. The interviewed customers were divided between those who have introduced Solsoft to address the growing complexity of their network security policy challenges, and those who have been loyal Solsoft customers since its early product versions. Both groups have experienced the growing pains customary for an innovative solution in an emerging technology, yet all those interviewed consistently reported that Solsoft has been highly responsive to product issues, resolving software defects within a few days.

The complexity of policy management in these environments sometimes meant that customers reported a rather steep learning curve to obtain the maximum value from the Solsoft investment. However, all customers reported that Solsoft delivered a high level of support — for training as well as products — in resolving these challenges. They look forward to taking advantage of recent Solsoft product enhancements including high availability for the Solsoft Policy Server, integration with RADIUS identity and authentication services for Solsoft user provisioning and access control, more robust import capability, a more scalable graphical interface, and greater optimization of security policy calculation. Overall, the consensus of these customers is that in Solsoft policy management they have found an essential solution for network security that they were unable to find in any other alternative.

The challenge and complexity of defining IT security and trust has increased significantly with the disappearance of clear perimeters, as well as with the pressure of regulatory mandates. Many tools have added to the options available to solve the challenge, and existing tools have become far more complex. For example, EMA has seen an increase in the deployment of firewall systems with multiple interfaces to segment even internal networks into zones of trust, as security and compliance requirements heighten the need to ever more finely grain the boundaries of trust.

Despite the fragmentation of the security market and the profusion of techniques to make the enterprise secure and compliant, the one constant that defines the entire spectrum of solutions is the policy-based nature of how they are controlled. EMA believes that the management of policy that spans this spectrum is more than an advantage for delivering better or more efficient security and compliance: to paraphrase one of Solsoft’s own customers, it is becoming less and less possible to manage today’s networks without the centralized management of security policy. This belief is reflected by vendors as well as customers. Emphasis on the holistic, architectural approach to security implementation has become one of the main themes in the current market.

Many believe that the fragmentation of the security market cannot continue indefinitely. Consolidation will overtake key solution segments as they mature. While EMA expects this consolidation, it does not expect it to eliminate segmentation in IT security completely.

Attackers are far too creative to allow security standards to remain static for long. Gaps will always be found and exploited. When this happens, regulatory mandates will not be far behind. These are facts that not only drive innovation in security and compliance — they also suggest that a wide range of solutions and vendors will continue as a matter of necessity.

These facts accentuate the forward-looking and innovative enterprise policy management solution represented by Solsoft. Without centralized tools for bringing unity among security point solutions, the continued proliferation of security defenses and compliance solutions will continue to make network management itself a difficult challenge.

Unity can be found in the management of policy that defines how protections are deployed. While solutions such as Solsoft have significant challenges ahead, they are staking out new territory by raising enterprise policy management into a domain in its own right, at the front of the initiative to convert today’s fragmented approach to security management into an architectural whole.

Visit the Authors Web Site