Configuration Assessment: Choosing the Right Solution

WHITEpaper
Configuration Assessment:
Choosing the Right Solution
page 2 Executive Summarypage 3 Introductionpage 3 Barriers to a Known and Trusted Statepage 5 Configuration Assessmentpage 10 Conclusionpage 11 Appendix: Policies and Standards that Impact IT
©2008 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.WHITE?PAPERConfiguration Assessment: Choosing the Right Solution
Executive Summary No matter what line of work they're in, organizations face four pressing issues: ensuring the security of the IT infrastructure, optimizing its performance and availability, keeping it compliant with relevant regulations and standards, and proving compliance in an audit. The costs for not addressing these issues are clear-attacks on the IT infrastructure, poor customer experiences, lost revenue, compromised reputation, and major headaches during audits.
Configuration assessment tools are designed to help IT overcome these challenges and successfully comply with relevant internal and external policies, thereby getting the IT infrastructure into a known and trusted state. But it's important that IT understands the different approaches taken with configuration assessment, including any shortcomings a particular approach may have.
It's equally important that IT understands what features of automated assessment tools specifically address the barriers to achieving a known and trusted state. These features may include:
. Out-of-the-box configuration assessment policies;. Ability to capture and retain IT expertise;. Detailed information that aids in remediating improper configurations; and. Ability to monitor changes to configurations.
Fortunately, automated configuration assessment solutions like Tripwire Enterprise help ease the burden on IT of achieving and maintaining compliance, securing the IT infrastructure, and generating evidence for mandatory audits.
Page 2WHITE?PAPERConfiguration Assessment: Choosing the Right Solution
IntroductionSecurity breaches due to improperly configured systems are increasingly making the headlines. Data broker ChoicePoint recently shelled out $10 million to settle a class-action suit brought against them in late January of this year due to a data security breach. ChoicePoint not only suffered a huge financial setback, but also raised customer concerns over the safety of sensitive data with the organization.1 And at the University of California, Los Angeles, hackers gained access to 800,000 records containing personal information, such as Social Security numbers, of former and current students and faculty. Analysts say that 80-90 percent of security exposures are a direct result of improper configuration of servers and workstations. But how many IT Managers can honestly say that they know the configurations of systems across the entire IT infrastructure? To do so, they'd have to be proactively checking the state of all systems-a tedious, perhaps impossible task if done manually. But for the critical systems on a network, knowing the state of these systems can prevent security breaches from occurring and company information from being compromised.
The effects of a poorly configured IT infrastructure may not always make the headlines; they may cause disruptions to application services, theft of intellectual property, and other less publicized, but highly detrimental incidents. For example, improperly configured elements of virtual environments-especially the hypervisors-may open up security holes and severely impact application service delivery. Consider also that organizations have a 75 percent chance of experiencing an email outage that lasts for a significant period-outages often due to poor configurations that will severely limit communication and productivity.2 Clearly, securing the IT infrastructure and ensuring optimal performance and availability are at the top of the priority list for IT.
Equally high on this priority list is compliance; a priority that often overlaps with security and operations. A Q4 2006 survey by AMR Research showed that companies anticipate spending of $6.2 billion in 2008 on achieving compliance with Sarbanes-Oxley (SOX) alone, and an additional $3.3 billion on retaining documents and records for required pro... [download for more]