What do administrators really want in security tools? At a security conference in New York City, customers pointed to auditability, flexibility, usability, and most of all, vendor responsiveness.
"There are a lot of vendors out there pushing products," said Carl W. Eyler, CIISP, VP and IS officer at Banco Santander Central Hispano. "(But) does it fit my organization?" he asked. "The problem is that (toolmakers) are not out there in the trenches."
Audibility is a key requirement, according to Eyler. "Do I know who my users are? Who has an account? Has someone plugged in a rogue machine on my network?"
Tools in categories like user management and patch management can confuse the issue, though. "Is (auditability) a security problem, or an IT problem?" Eiler inquired, in a panel session at Computer Security 2002, a conference sponsored by the Metro NY chapter of the Information System Security Association (ISSA).
Software applications of many sorts are deficient in security, Eyler suggested. "Often, security is just an add-in," he said. In particular, Eyler cited a Web portal product that doesn't let end users set their own PINs (personal identification numbers).
Security pros and corporate IT auditors "ought to be pressing vendors to make all software more auditable," contended George Hertzberg, panel moderator.
Chester M. ("Chet") Winters, another speaker, urged ease of use, flexibility, and scalability. Many software products today produce "audit trails that no one could disseminate, or even use," charged Winters, a long-time security manager who is now executive consultant for Data Day.
"If those logs don't allow you to see where the POC (point of control) broke down, they don't do that much good," Winters added.
By and large, software packages are getting more flexible, Winters admitted. Especially important, however, is the "ability to change the security, with mergers and acquisitions, he said.. "What happens if I (now) have 10,000 to 15,000 users?"
Administrators need to be able to set detailed profiles, too. "More and more software is role-based. How far down can you go?" Tools should offer "depth as well as breadth," he maintained.
Many software vendors "overkill some aspects (of security) and underkill others," Winters continued "Very often, you need to go out and buy a second package for manageability."
"Don't let the vendor sell you a security product. Buy it from them. Tell them (your) requirements," he told the audience.
Alex Consilvio of RSA Security, Inc. bounced back with a vendor's perspective. Vendors know it's in their own best interests to serve customers' needs, according to Consilvio. "We don't want to just sell you 'whatever' product and then split. It just doesn't work that way."
Users need to tell vendors about their business problems and environments. "I want to know your requirements," he elaborated. Vendors like to provide solutions. "We don't just want to sell you a widget and then, 'See ya later.'"
Consilvio acknowledged, though, that vendors do operate under "a whole set of constraints.". Vendors typically have "procedures in place" for making enhancements to products. "As vendors, though, we only have limited resources to R&D."
Some changes in functionality might even require rewriting an entire application. As a result, decisions about product enhancements are often based on degree of customer demand, according to Consilvio.
Customers and vendors need to engage in "constant communications" around auditability and security, according to Hertzberg. "Both have an obligation to participate" in the dialog. Hertzberg also suggested that smaller customers can gain a lot more clout with vendors if they band together in groups.
For their part, administrators should also stay on top of their companies' organizational cultures and business problems, the panelists agreed. "Organizational culture determines what kinds of usability features are required," Winters noted.
What should users look for in choosing a security vendor? Vendors should "come in with a vision," he said. Products should be "policy-driven," to help customers meet business needs. Good documentation is essential.
Even more importantly, though, vendors should have adequate cash flow - either through long-term profitability or VC (venture capital) money - to meet customers' ongoing needs for product support, according to Winters.
Who should get involved in choosing products? In many organizations, security is still a relatively small part of the IT budget. "(But) it is a portion of the budget. The key is wise expenditure," Winters advised. In large companies, "IT audit and security people (should) get a good working relationship,"
If vendors ally with security managers and auditors, "We'll be instrumental in saying to the CIO and the (IT) people in charge (of purchasing), "This vendor is more interested in auditability. So we recommend that you at least take a look," Hertzberg said.
Hertzberg is currently the director of two generic user groups: the Security Users' Partnership (SUP) and the Computer Assisted Audit Tools and Software Auditability Users' Partnership (CAATSAUP).
Vendors are well versed in working with both security managers and auditors, according to Consilvio, who is RSA's senior territory manager, NY Metro eMerging Markets. Often, security vendors are called in after a company has failed an audit. "So we engage the auditors very early on," Consilvio explained.