A new dashboard to let non-IT users gain access to server and application configuration data to measure regulatory compliance only helps SCM 5.8 keep pace with the competition. Although SCM 5.8 does a decent job of reporting IT asset configuration data, IT managers should anticipate a moderate amount of tinkering to get really useful information on a consistent basis.
NetIQ Secure Configuration Manager 5.8 applies regulatory requirements for
secure computing environments to IT assets and reports that information via a
new Web dashboard that can be used by non-IT personnel. SCM
5.8 sets no new heights for configuration reporting tools and, in common with
other products in this space, including Symantec's better documented Control
Compliance Suite, requires a labor of love to get useful reports on a
consistent basis.
NetIQ SCM 5.8 worked well
with virtual and physical systems during my tests, although some of the
trending reports were skewed by the on-again off-again nature of my virtual
machines. Otherwise, the avalanche of reporting templates for examining
compliance with regulations ranging from SOX to COBIT for operating systems
including Windows, Red Hat and Unix systems, and applications including
Microsoft SQL Sever and Oracle databases make SCM
5.8 worthy of consideration in medium to large organizations.
NetIQ SCM 5.8 started
shipping in September 2009 and starts at $1,000 per managed server. Competitive
products include Symantec Control Compliance Suite, which offers integration
with other Symantec security tools. Configuresoft, which was acquired by EMC--of
which portions including a similar compliance checking component have since
been absorbed by VMware--provides compliance reporting aimed squarely at
virtual machine environments.
How I tested
I ran NetIQ SCM 5.8 on a Lenovo ThinkServer
RD210 with two quad-core Intel Xeon 5540 processors and 12GB of RAM
and a Dell PowerEdge R610 server with two quad-core Intel Xeon 5540 processors
and 32GB of RAM, along with a Lenovo W510
mobile workstation with an Intel Core i7 processor and 8GB of RAM.
I monitored the physical systems along with several virtual server systems
running a variety of Windows and Red Hat server operating systems. Many of the
Windows server systems (a mix of Windows Server 2003 R2 and 2008 R2) were also
running Microsoft application servers including IIS and SQL Server 2005. I used
VMware Workstation 7 on the Lenovo mobile workstation and Windows Server 2008
with the Hyper-V role enabled to host the virtual systems used in my test
environment.
Based on information NetIQ SCM
5.8 gathered from my monitored systems, I was able to generate a wide range of
reports. New in this version of SCM is a
Web-based security and compliance dashboard that I used to provide restricted
access to reports. This is useful for IT managers who want to provide access to
security and compliance data without turning over the keys to the kingdom. For
example, I was able to provide reports on a very small number of servers to
members of an application group, thus limiting the knowledge of important
security vulnerabilities in my test systems to only a select group of
"need-to-know" administrators. The security and compliance dashboard
is a significant improvement in NetIQ SCM
5.8. However, competitive products have this feature too.
The reporting tools--whether delivered through the Web-based
dashboard or through the desktop application interface--proved able to deliver
critical configuration information in a timely fashion. Because the tool can
gather large amounts of configuration information, one of the chief tasks of IT
security managers will be to work with business operations, auditors and
executives to fine-tune data requests so that network resources or system
productivity aren't compromised by requests for configuration data.
Working with NetIQ support personnel I was able to navigate
reports and narrow search results so that I got a good overview of my systems
while also keeping a lid on network bandwidth consumption. Because NetIQ SCM
5.8 can report on more than 100 different preconfigured templates and reports
based on recommendations or requirements from NIST (National Institute of
Standards and Technology), Sarbanes-Oxley, HIPAA, GLB
and a host of other vulnerability or security-oriented groups, it's easy to go
overboard with reporting. NetIQ SCM 5.8 has
the ability to update configuration gathering templates, which IT managers
should use on at least a quarterly basis, to ensure that the most current types
of data are being collected for configuration reports. Although named the
"autosync" feature, triggering the update was a manual process.
Email
Print
Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
