Sygate Inc. is a company that specializes in endpoint security solutions for large enterprises. John De Santis, Sygate's president and CEO, recently met with InfoWorld Senior Analyst Wayne Rash to discuss the issue of security policy management and measures for creating a safe state on the network.
InfoWorld: How important to the enterprise is security policy management? Is this something vital that people are not paying attention to?
De Santis: The more advanced thinkers in the larger enterprises understand that it's a major issue for them. They've spent a lot of time looking for the bad thing on the network and trying to nail it through an intrusion detection system or an anti-virus system, through firewalls. What's changed is that the threats and the vulnerabilities have become sophisticated enough to the point where you can't find them all. You don't have a virus signature or an intrusion detection signature anymore. So we were seeing them move towards (asking what is) the safe state, the trusted state of a device before it connects to my network? If I can somehow enforce that, then I could eliminate many vulnerabilities and threats that are out there because I know what the trusted state ought to be. I know that you need this level of patches (and) these security measures in place. I know you need these applications turned on or turned off before someone gets connected. The problem I have as an IT executive is I have very little way of automating the enforcement of it. I'm not sure whether people are listening to what I'm saying (and) doing what I'm telling them to do. Security policy management is not just a question of doing audits and finding out whether people are following my policies. It's can you automate as much as possible the enforcement of policy and the remediation, get things back to a trusted state when they fall out of a trusted state so that people can get on with their work.
InfoWorld: You're saying that you need to do something besides using the signature-based scanning, which is what most anti-virus programs do?
De Santis: Yes. There's this approach that some people call scan and block: I'll scan something -- "Oh, you're bad, I'm going to block you" -- and there's some people that do scan and report -- "I'll scan something and I'm going to report that this is going on." If you had only a security hat on and you weren't running the business, you'd say "Well, I'm secure. I stopped all of the potential bad things from getting in." But there's a business to run and a lot of these worms and viruses and things are so automated they rip through the network even without any human intervention. If you can change the concept from scan and block to comply and connect, you've changed the entire perspective on how you let people onto the network. You say "Comply to my policies and then you can connect. And if you can't comply, come into this safe zone where I'll remediate, I'll get you back to a trusted state, I'll get your anti-virus back up to date, I'll turn off KaZaA, I'll turn on these other security measures that should be on so that then you can come onto the network and connect to the applications you need to connect to."
InfoWorld: Where do you think policy management is going in terms of its overall role in the future of enterprise security?
De Santis: It's going to be more automated, meaning built into the whole infrastructure. I think it's going to be driven very hard by regulatory issues. As the bank examiners come into a bank, they're going to be asking questions like "Can you prove how many systems are compliant to your policies?" I think the banking stuff and as well as the Sarbanes-Oxley Initiative as they get further -- what does it mean to say that you're compliant? What does it mean to say you have good controls in place? -- That push down into the CIO's organization and into the security offices organization is going to create a need to have tools that can measure compliance and actually do something about it beyond just saying "March 31st, 93 percent of my devices were compliant to policy." That's not going to be good enough for the bank examiners. They're going to say "What about today? It's April 5th, 17 viruses came out in the last three days." To be able to demonstrate that you have maintained compliance over time is going to be a huge driver for any institution dealing with confidential, private information like credit card guys, medical guys, insurance guys.
InfoWorld: If you could have anything you wanted in terms of security, including policy management and enforcement on your enterprise network, what would that be?
De Santis: There's a whole area called identity and access management. Can you prove who the people say they are, then can you determine through a directory or a meta directory what access those people have to different applications and to different processes in the company. Identity and access management are probably the two most important things that are out there, but they're missing a third component, which is how can you determine the integrity of the device or the thing you're trying to attach from? So I'm suggesting a three-step process: prove your identity, prove you're in a trusted state or a trusted end point before you connect, and then finally control your access to applications based upon the privileges, roles, responsibilities that you have in my enterprise. Identity, integrity, and access management are the three most important things I'd put in place.
InfoWorld: How does an IT manager know what policies should be set and how they should enforced?
De Santis: The best practices of policy are I think pretty well established. A lot of people, especially information security executives, know what good practice and what good policy is. The problem (they) have is taking that knowledge and leveraging it across 10,000 people. (Training courses) are important to raise visibility, raise security awareness, but they don't do anything to enforce the actual policy compliance. How do you scale this enforcement across a huge enterprise of 10,000 people of which, frankly, 9,900 don't really care about security problems, they just want to get their job done. How do you just make it happen behind the scenes? That's been the huge challenge and huge opportunity for companies like us -- can you automate that enforcement as much in real time as possible, as much before the connection is actually made (as possible), and rapidly get that person back to work from a trusted device.
InfoWorld: How big a problem is it for employees of large enterprises to basically ignore policies?
De Santis: I don't think it's a user ignoring the policy. A very large customer of ours, after they had deployed 40,000 (security policy agents), found that every month they were getting 400,000 attacks per month being blocked from things they thought they'd eliminated: automated worms like Code Red Nimda, Ping of Death, stuff like that. When they dug deeper (and) investigated where the source of the problem was, in 70 percent of the cases the source IP address was from inside the enterprise. Not from outside, from the inside the enterprise.
InfoWorld: These are employees who somehow managed to get infected with the worm and are unknowingly blasting away at everybody else?
De Santis: Exactly. The chief security officer and I were talking and she said "You know, we found the enemy and it's us. It's not my users, it's in fact in my sys admins." But it's sys admins all over the world. Some remote outpost (is) putting a server on the network that doesn't comply to my policies of having the right security measures in place, having the right patches in place, having a call center manager with not the latest and greatest on it and they just plop it on my network.
InfoWorld: Infected in minutes.
De Santis: Right, it's just attacked the entire network. If you talk to people out there and ask them what scares you, (they'll say) what I don't know and what I can't enforce. That's what scares me. I can't just say you've got to have anti-virus XYZ in place before you connect, you've got to have patch number ABC in place before you connect and thus stop entire groups from being able to connect and do their work today because they don't have their anti-virus engine up to date. It's a dangerous thing unless you actually build into policy enforcement the ability to remediate and get things back to the trusted state. ... You've got to create this culture of -- the policy is built into the network, it's built into the end point, so that from the very beginning it's enforced deep in the system and thus you create a trustworthy environment. I'm not saying you get rid of all your IDS and you get rid of your anti-virus, but I'm suggesting that a much more policy-oriented approach creates order as opposed to a police state approach.
InfoWorld: What is the one thing that keeps you awake at night in this area?
De Santis: It's things on my network that I don't know about. So many things are being put on the IP network today that IT managers have no idea that there's a TCP/IP stack on them. Printers that come from the factory with viruses on them that are connected to the IP network in your organization. Security cameras being put on the IP network, voice-over-IP phones put on the IP network. I'm thinking I've taken care of Code Red Nimda and so on because I put a security agent, I put anti-virus and all sorts of stuff in place, and next thing you know somebody puts a security camera on there or a time clock system or an Xbox that has a TCP/IP stack in it and bam, it's on the network. It's what I don't know that's on the network. And that brings me back around to (the point) if you have a mechanism to, in real time as much as possible, enforce a policy that's on the network of what trusted devices are allowed to have access to your network and what aren't, to be able to characterize those devices, remediate them, give them access as appropriate -- that's the holy grail.