Product Group Tests

Risk and policy management (2013)

Group Summary

Best Buy: AlgoSec Security Management Suite

Recommended: Agiliance RiskVision v6.5; Tufin Security Suite

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

With an ever-evolving list of compliance regulations, automating tasks goes a long way to alleviating mundane tasks...and it's never been simpler, says Peter Stephenson.

This month we look at risk and policy management tools and we have a lot of them for your consideration. A good first step is distinguishing what we mean in both cases. One thing that we noticed this year is that some functionality is spilling over into configuration and vulnerability management tools.

Enterprise risk management is a continuous process. It begins with setting objectives and identifying risks. Once the risks are identified, they should be assessed to understand how to treat them. Risks can either be controlled or eliminated. In either case, there needs to be some way to communicate the risk picture and continue monitoring. That continued monitoring may illuminate additional risk objectives - and new strategy needs to be set starting the cycle over again. Risk management tools provide a platform on which to perform this risk management cycle.

Policy management, on the other hand, is not quite as clearly defined. In some cases, policy management refers to the supervision of an organisation's security policies derived from risk management, regulatory requirements and other types of input. In other cases, it refers to how policy is applied, managed and updated to devices, such as firewalls. It is not uncommon to see these types of applications in the same product. However, policy management, like risk management, is a continuous process and the two are tied together because policy is intended to address risk.

Typically, conventional wisdom tells us that the first task in creating an enterprise architecture is to perform a risk assessment. Once this is complete, one needs to create policies to address the risks. So, if one has a need for a secure enclave, such as an online banking system, the administrator will address the risks inherent in such a system, create policies that address the risks and then design an architecture - network and security - that addresses those risks.

Now that an architecture is in place, one can begin to populate it with tools. However, at this point, the administrator will find that the tools need to be configured to implement and enforce the policy, which must also be configured with its own policies - although these really are settings that enforce or implement policy - and these need to be kept current. Risk drives the policies, so as risks change - both in the abstract (the organisation's written security policy) and in the concrete (configuration policies) - policies need to change. For a big enterprise tracking and implementing all of that can be daunting.

That is where our tools enter the picture. It has long been my position that both these two types of tools are necessary to manage an enterprise's security properly. The big problem - and one that user organisations and vendors alike have been struggling with for years - is how do you make this work for all but the largest enterprises?

I am aware of an organisation that needs what these tools offer. Some years back they purchased a pricey but well-thought-of tool and went through the pain of training, configuration, and transferring policy to it, etc. Part way through the process they decided they did not have the resources to get the job done right, and they shelved the project and the product. The tools we reviewed this month can go a long way toward keeping that sort of thing from happening in the future.

So, the bottom line: If yours is a medium to large enterprise, managing your policies, risks and various attendant configurations are a real issue. Most likely, if you haven't implemented an automated approach you are struggling to keep everything configured, policies aligned with current regulatory requirements and risks measured and managed as new ones come over the horizon.

Automated risk and policy management really is a major step if one wants to make the most of human resources, instead of marshalling them to manual tasks that never seem to complete.

Are these tools pricey? Some may be, but this is like any other security product. Match your needs after you have looked closely at what is needed to accomplish and either make it fit your pocketbook or start lobbying for a bigger one. In the long run, the savings through automating these tasks will be significant enough to justify their purchase.


Michael Lipinski and Mike Stephenson contributed to this group test.

All Products In This Group Test