Security management vendors promise to keep customers in compliance

A slew of start-ups are rolling out tools to help newly compliant IT shops monitor, maintain and enforce compliance policies.

Meeting the demands of the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act, and the Gramm-Leach-Bliley Act requires constant data analysis, a chore that security management newcomers Elemental Security, eIQNetworks and Procera Networks hope to ease.

"IT managers need to have ongoing visibility into their compliance levels to avoid drifting out of compliance over the course of six months or so," says Scott Crawford, a senior analyst with Enterprise Management Associates. "No one wants to have a big compliance project every year. Security and policy management products can automate parts of the ongoing monitoring and enforcement of compliance policies."

Start-up Elemental Security this week is scheduled to launch its Elemental Compliance System, software that the company says combines policy-creation tools with ongoing monitoring and enforcement features. The software, developed by company co-founder and IT security guru Dan Farmer and Python script author Guido van Rossum, can be customized to work with a variety of platforms and applications.

"It's not a tool specific to one type of vertical application. It can work with what I have without me having to go to my application vendors and get them to rewrite their code for compliance," says Doug Torre, director of networking and technical services at Catholic Health System, an integrated healthcare delivery network in and around Buffalo, N.Y. He is piloting the product to determine if it will help him maintain compliance policies across healthcare-specific applications.

The system uses a combination of server software and agents distributed on servers, desktops and laptops. The server maintains the library of policies, and the agents monitor devices, reporting any changes from the established baseline to ensure compliance.

The product comes with tools to create policies for heterogeneous environments, including Unix and Windows. Templates and scripts let even inexperienced administrators create policies on multiple systems without platform-specific knowledge, the company says.

Once deployed, the software assesses compliance on a regular basis and offers tips to mitigate potential problems, such as discovery of an unauthorized laptop attempting to access a network or a sales employee accessing an accounts payable application.

"Instead of an annual baseline or periodic security check, this software shows us in nearly real time what isn't compliant and even enforces policies," Torre says. He now can dedicate less of his tightly stretched security budget to maintaining compliance.

While Torre says he's not thrilled with distributing additional agents, which requires configuring and deploying them to targeted machines. But he says the idea of blocking traffic or isolating non-compliant systems - a feature made possible by the traffic analysis capabilities of the agents - is a worthwhile trade-off. "These are applications we can't easily control, but a software overlay like this could let us evaluate and assess what they are doing on the network."