Elemental Security improves security through compliance

The CIO-level business angle on the latest tech

Is our company’s data secure? Are we in compliance with general information access control policies? These are two security questions on every CIO’s mind these days. For many of them, as well as the other C-level executives, regulatory compliance is another major concern. This past April, Elemental Security began shipping a product to address both security and compliance needs for the large enterprise environment. Even if you don’t need to comply with major regulations such as Sarbanes-Oxley and HIPAA, you can’t go wrong in enforcing your own internal policies to increase security with an automated tool like the Elemental Compliance System (ECS).

ECS fits into the sweet spot where host configuration management, network access control and policy management intersect. This product has one of the strongest, most detailed policy management modules that we’ve seen. For more information about the security and network management aspects of ECS, check out recent articles here and here (PDF).

Compliance requirements and system security have always been linked. Until now, however, they were difficult to implement in a non-invasive, integrated manner that was easy to deploy, maintain and monitor. The ultimate goal is to control gaps in system access while staying in concert with overall general business control requirements (for example, segregation of duties) that are designed to ensure reliability of financial data.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Is our company’s data secure? Are we in compliance with general information access control policies? These are two security questions on every CIO’s mind these days. For many of them, as well as the other C-level executives, regulatory compliance is another major concern. This past April, Elemental Security began shipping a product to address both security and compliance needs for the large enterprise environment. Even if you don’t need to comply with major regulations such as Sarbanes-Oxley and HIPAA, you can’t go wrong in enforcing your own internal policies to increase security with an automated tool like the Elemental Compliance System (ECS).

ECS fits into the sweet spot where host configuration management, network access control and policy management intersect. This product has one of the strongest, most detailed policy management modules that we’ve seen. For more information about the security and network management aspects of ECS, check out recent articles here and here (PDF).

Compliance requirements and system security have always been linked. Until now, however, they were difficult to implement in a non-invasive, integrated manner that was easy to deploy, maintain and monitor. The ultimate goal is to control gaps in system access while staying in concert with overall general business control requirements (for example, segregation of duties) that are designed to ensure reliability of financial data.

An enterprise-level tool, ECS is an integrated product that provides security practitioners with the near-real time ability to effectively and efficiently:

* Inventory all network assets.

* Create, modify, test and monitor security policy and compliance.

* Control and monitor network access.

* Control and monitor configuration management for users' machines.

* Establish baselines and metrics.

* Identify threats, access risk and automatically contain vulnerabilities.

* Prevent non-compliant resources from access to the network.

ECS uses an agent-server approach. New devices put on the network that do not have the agent are discovered and monitored and can be isolated until it is proven that they meet the conditions set forth by the enterprise policies. Approved devices and users on the network can be dynamically grouped according to specific attributes or policies, increasing your flexibility to control access to resources.

The range of policies that Elemental provides as a template is quite extensive, including regulations such as Sarbox, PCI and HIPAA. In addition, ECS has a built-in custom policy language that allows you to express (or deploy) policies across a broad range of platforms and machines. Once a policy has been developed, compliance by your users and devices can be tested in a “monitor only” mode to determine the impact on the business environment, thereby avoiding unnecessary downtime or unexpected security vulnerabilities. You can fully implement the policy monitoring with follow-up actions when ready.

The total view of compliance is where this product really shines. ECS provides a simple Compliance and Monitoring Dash Board that graphically displays overall compliance with your implemented security policies. This allows compliance managers to determine if information security controls are aligned with the organization’s overall compliance plans.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.