Is our company’s data secure? Are we in compliance with general information access control policies? These are two security questions on every CIO’s mind these days. For many of them, as well as the other C-level executives, regulatory compliance is another major concern. This past April, Elemental Security began shipping a product to address both security and compliance needs for the large enterprise environment. Even if you don’t need to comply with major regulations such as Sarbanes-Oxley and HIPAA, you can’t go wrong in enforcing your own internal policies to increase security with an automated tool like the Elemental Compliance System (ECS).

ECS fits into the sweet spot where host configuration management, network access control and policy management intersect. This product has one of the strongest, most detailed policy management modules that we’ve seen. For more information about the security and network management aspects of ECS, check out recent articles here and here (PDF).

Compliance requirements and system security have always been linked. Until now, however, they were difficult to implement in a non-invasive, integrated manner that was easy to deploy, maintain and monitor. The ultimate goal is to control gaps in system access while staying in concert with overall general business control requirements (for example, segregation of duties) that are designed to ensure reliability of financial data.

An enterprise-level tool, ECS is an integrated product that provides security practitioners with the near-real time ability to effectively and efficiently:

* Inventory all network assets.

* Create, modify, test and monitor security policy and compliance.

* Control and monitor network access.

* Control and monitor configuration management for users' machines.

* Establish baselines and metrics.

* Identify threats, access risk and automatically contain vulnerabilities.

* Prevent non-compliant resources from access to the network.

ECS uses an agent-server approach. New devices put on the network that do not have the agent are discovered and monitored and can be isolated until it is proven that they meet the conditions set forth by the enterprise policies. Approved devices and users on the network can be dynamically grouped according to specific attributes or policies, increasing your flexibility to control access to resources.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.