Maintaining continuous compliance

Meeting regulatory and internal compliance guidelines is a de facto standard practice for IT operations and IT security teams in public and private organizations. IT organizations carry out internal audits on a regular basis plus audits of critical systems and infrastructure annually in accordance with regulations such as FISMA, HIPAA/HITECH, PCI, SOX, and many others. To keep up with the different internal and external compliance audit requirements, IT organizations often find themselves in a reactive mode addressing requirements on a project by project basis instead of as an ongoing, strategic business requirement. This approach brings with it security risks and much higher costs.

“When it comes to compliance, organisations have dual concerns. First, knowing with certainty what's on their network and how it's configured. Second, having the precise control to achieve and maintain compliance across their distributed environments. Thankfully, through its continuous compliance approach, BigFix does both..”
-Deanna Dames Director, Corporate Marketing

Challenges

Compliance usually involves multiple IT teams dealing with point-in-time assessments, stale data, ineffective and inaccurate tools, internal politics, multiple consoles, and multiple infrastructures, all leading to too much cost and extensive windows of vulnerability. IT security teams should continuously measure and assess the environment to determine if infrastructure is meeting internal and external compliance regulations, while operations teams should be tasked with ensuring systems are up and running to meet the needs of the organization. IT security teams typically have limited access to the systems within the infrastructure, making it difficult to accurately identify all the gaps in compliance. Meanwhile, remediation usually falls to a separate IT operations team that uses different toolset.

This approach increases costs and risk and results in a time-consuming, resource intensive, and problematic approach to the assessment and audit cycle. Challenges include:

Consistent results - IT departments have the task of showing that systems meet audit requirements. To address different requirements, teams often times work separately using different tools. Every tool works differently, yielding potentially different results, adding additional layers of complexity, increasing risk and the cost of doing business, driving further inefficiency and lack of consistency and clarity. This extends the process of identifying compliance gaps and remediating them to several weeks or even months. To overcome this, IT operations and security teams need a single tool that provides a unified and automated approach to discovering, assessing, remediating, and reporting on compliance.

Endpoint visibility - Visibility is vital for assessing system status and meeting compliance requirements on all endpoints on or off the network. While past compliance efforts and tools focused primarily on servers, endpoints-as the most susceptible to attack-are the main targets of hackers. Gaining access to a workstation provides an open door to the server environment. Obstacles to visibility arise in distributed environments containing a range of desktop and laptop systems running many versions of Microsoft Windows for servers and workstations, Unix, Linux, and Macs. To protect all endpoints, teams need comprehensive, real-time visibility into the compliance state of all assets throughout the infrastructure and continuous automated enforcement of endpoint compliance policy regardless of network connectivity.

Data accuracy - Secure does not always mean compliant, compliant does not always mean secure. In fact, too many tools can actually end up leaving organizations less of both and unaware of the fact. To verify the accuracy of all compliance data on and off the network, organizations need a single solution that accommodates the requirements of both the IT security and operations teams. One that accurately reports whether systems are truly patched (not just that the patch is present), configured correctly, and running up-to-date antivirus software.

Policy-based assessment - IT departments face challenges in establishing and measuring against consistent policies throughout the entire organization when IT security and operations teams are using different tools to meet disparate goals and objectives. A unified approach is the only way to implement a proactive policy-based approach-sharing and enforcing information across teams, defined policy based on accurate, real-time information.

Scalable Remediation - Assessment without remediation provides limited value to either team. Adding to the burden of discovering how to fix identified problems is the fact that different tools speak different languages and it is often difficult to bridge the language gap between them. Teams need a solution that not only pinpoints non-compliance among assets, but can also actually bring them into compliance. And this solution must scale to provide coverage for all endpoints-fixed or mobile-desktops, laptops, and servers, across all platforms, overcoming the challenge of touching every machine in a way that works without fail and without an enormous IT staff.

Cost and Risk Reduction - IT security and operations teams have different goals and objectives when it comes to meeting internal and external compliance audit requirements, oftentimes resulting in divergent, costly approaches that come with increased security exposure. To keep costs low and eliminate risk, teams need a comprehensive approach to meeting compliance audit requirements. Achieving and maintaining continuous compliance through a unified approach is the best way for teams to eliminate challenges and reduce the cost and risk associated with managing compliance.

Solution Overview

BigFix helps IT security and operations teams to become compliant, stay compliant, and prove compliance with the BigFix Unified Management Platform; a unified assessment, remediation, and reporting tool that fosters communication and ensures accuracy of reporting against all internal and external compliance initiatives. BigFix provides a proven, consistent, accurate, cost-effective approach to assessment and remediation-a single, centralized console view for comprehensive real-time visibility into the current configuration and compliance state of all managed endpoints. This approach yields pervasive visibility and control in large, complex, distributed environments and enables organizations to focus resources more effectively-reducing the overall cost of compliance.

The standard approach for assessing, measuring, evaluating, and remediating compliance issues typically involves vacillating between compliance and non compliance: i.e., managing to "point-in-time" activities, such as audits, with little to no review in between. BigFix transforms this resource-intensive cycle by bringing consolidated real-time visibility and control to vital security and system management processes that support distributed server, desktop, mobile, and virtualized computer infrastructures at enterprise scale. To achieve this, the BigFix architecture implements a distributed single-agent, single-infrastructure approach to delivering anytime/anywhere security and system management services across distributed computing infrastructures.