That system's only as secure as its audit trail
Vendors respond to government demand for security tools that monitor
- By William Jackson
- Feb 18, 2005
SAN FRANCISCO'The message is clear to vendors: It's not enough to secure your network and data when working for the government; you must be able to document security efforts to meet a growing list of federal requirements.
Regulatory compliance was a major selling point of vendors showing their wares last week at the RSA Security Conference. Security products still encrypt, block and monitor, but they also document those processes and produce auditable logs. Chief among the regulations cited for government users are the Federal Information Security Management Act and the Health Information Portability and Accountability Act.
'The protection of data is a common theme for both the public and private sectors,' said Dan Geer, chief scientist for Verdasys Inc. of Waltham, Mass., which makes Digital Guardian to monitor use of data.
The California Privacy Law has been an important technology driver, added Todd LaPorte, a sales manager for Utimaco Safeware AG of Germany. The law requires that companies notify customers if unencrypted personal information is compromised.
'It is almost a default national law,' said LaPorte, noting that California ranks as the world's sixth largest economy.
Utimaco makes SafeGuard Easy software, which uses the Advanced Encryption Standard with 128- or 256-bit keys to encrypt either entire disks or disk sectors on all types of portable or removable memory devices.
Verdasys is promoting the value of its Digital Guardian platform for FISMA compliance. It creates an audit trail for all data use.
Managing configuration policy is an element of many security regulations. Company officials at Secure Elements Inc. of Herndon, Va., said FISMA led it to develop its new C5 Enterprise Vulnerability Management suite. At the RSA conference, Secure Elements said it has a five-year blanket purchasing agreement with the Transportation Department for its C5 Automated Vulnerability Remediation tool, which handles policy enforcement, security patch management, configuration management and asset control.
DOT originally bought the software as a patch management tool, but 'they quickly began to see the value it could provide under FISMA,' Secure Elements CEO Ned Miller said.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.