NetIQ Secure Configuration Manager 5.8 applies regulatory requirements for secure computing environments to IT assets and reports that information via a new Web dashboard that can be used by non-IT personnel. SCM 5.8 sets no new heights for configuration reporting tools and, in common with other products in this space, including Symantec's better documented Control Compliance Suite, requires a labor of love to get useful reports on a consistent basis.
NetIQ SCM 5.8 worked well with virtual and physical systems during my tests, although some of the trending reports were skewed by the on-again off-again nature of my virtual machines. Otherwise, the avalanche of reporting templates for examining compliance with regulations ranging from SOX to COBIT for operating systems including Windows, Red Hat and Unix systems, and applications including Microsoft SQL Sever and Oracle databases make SCM 5.8 worthy of consideration in medium to large organizations.
NetIQ SCM 5.8 started shipping in September 2009 and starts at $1,000 per managed server. Competitive products include Symantec Control Compliance Suite, which offers integration with other Symantec security tools. Configuresoft, which was acquired by EMC--of which portions including a similar compliance checking component have since been absorbed by VMware--provides compliance reporting aimed squarely at virtual machine environments.
How I tested
I ran NetIQ SCM 5.8 on a Lenovo ThinkServer RD210 with two quad-core Intel Xeon 5540 processors and 12GB of RAM and a Dell PowerEdge R610 server with two quad-core Intel Xeon 5540 processors and 32GB of RAM, along with a Lenovo W510 mobile workstation with an Intel Core i7 processor and 8GB of RAM. I monitored the physical systems along with several virtual server systems running a variety of Windows and Red Hat server operating systems. Many of the Windows server systems (a mix of Windows Server 2003 R2 and 2008 R2) were also running Microsoft application servers including IIS and SQL Server 2005. I used VMware Workstation 7 on the Lenovo mobile workstation and Windows Server 2008 with the Hyper-V role enabled to host the virtual systems used in my test environment.
Based on information NetIQ SCM 5.8 gathered from my monitored systems, I was able to generate a wide range of reports. New in this version of SCM is a Web-based security and compliance dashboard that I used to provide restricted access to reports. This is useful for IT managers who want to provide access to security and compliance data without turning over the keys to the kingdom. For example, I was able to provide reports on a very small number of servers to members of an application group, thus limiting the knowledge of important security vulnerabilities in my test systems to only a select group of "need-to-know" administrators. The security and compliance dashboard is a significant improvement in NetIQ SCM 5.8. However, competitive products have this feature too.
The reporting tools--whether delivered through the Web-based dashboard or through the desktop application interface--proved able to deliver critical configuration information in a timely fashion. Because the tool can gather large amounts of configuration information, one of the chief tasks of IT security managers will be to work with business operations, auditors and executives to fine-tune data requests so that network resources or system productivity aren't compromised by requests for configuration data.
Working with NetIQ support personnel I was able to navigate reports and narrow search results so that I got a good overview of my systems while also keeping a lid on network bandwidth consumption. Because NetIQ SCM 5.8 can report on more than 100 different preconfigured templates and reports based on recommendations or requirements from NIST (National Institute of Standards and Technology), Sarbanes-Oxley, HIPAA, GLB and a host of other vulnerability or security-oriented groups, it's easy to go overboard with reporting. NetIQ SCM 5.8 has the ability to update configuration gathering templates, which IT managers should use on at least a quarterly basis, to ensure that the most current types of data are being collected for configuration reports. Although named the "autosync" feature, triggering the update was a manual process.