Product Group Tests
Policy and risk management tools
Next-generation tools are running away with the market.
Full Group Summary
This was another interesting month and it's leading into another one of our favourites, the December Innovator Issue. However, for November we had policy and risk management tools and, in some regards, it was hard to tell the difference. Both types of tools - and the variety was astounding - seem to possess the characteristics of each other. That's good news for you. However...
One of the things we noted - and we've mentioned this before - is that the notion of risk is not well communicated. Risk, regardless of who defines it (and there are dozens of risk formulae) comprises threats, vulnerabilities and impacts. The vulnerability management folks have sold the theory for years that risk equals vulnerability. A vulnerability with no way that a threat can exploit it, and even if it could, the exploit has no impact, is not a risk. So when we figure risk we need to take all of the elements into consideration.
That said, another thing that we noticed this year is that features that were just emerging last year are becoming mainstream. We noted, though, that there are two distinct schools of these products: there are the traditionalists and the next-generation tools. The next-gen products were just getting their feet wet last year and there was a lot of room for the more traditional players. We don't think that is as much the case this year. The next-generation tools are running away with the market because they do a lot with a lot less administrative effort.
They're not perfect yet, though. For example, we saw very few tools that did auto-discovery of assets. If you have 10,000 virtual servers and hundreds of thousands of endpoints setting up a policy management tool manually is a non-starter. We were told that admins could import an asset list in any of several formats (depending on who you ask), but the fact is that many companies - some very large - simply don't have such a list. And what they have is outdated. In order to achieve the benefits of a policy/risk management tool you must have an accurate asset list. The tool itself either should be capable of creating such a list through its own discovery or interfacing with a tool that can and then consuming the result.
We were told by a few vendors that auto-discovery built into the product was technically infeasible. Perhaps that says something about the product. Auto-discovery is not new and there are multiple ways to do it. We cannot imagine a vendor that could not - for technical reasons - integrate such a capability into its product.
All of that said, we found a very small number of products that really impressed us. The rest were, even so, impressive in their own rights but these few are setting the bar of risk and policy management and they are doing it in novel ways.
So much for the introductions. We have a pretty good batch of tools to examine and we'd better get to it. Suffice it to say that there is not a loser in the bunch. All of the tools are very good. Some are just better than the others by a narrow margin.
Specifications for risk and policy management tools [pdf]
All Products In This Group Test
- Acuity Risk Management STREAM Integrated Risk Manager
- AlgoSec Security Management Solution
- Allgress Insight Risk Manager
- LockPath Keylight Platform
- Modulo Risk Manager
- NNT Change Tracker Generation 7
- Skybox Security Suite
- SolarWinds Network Configuration Manager
- Tripwire Enterprise
- Tufin Orchestration Suite