FullArmor Corp., a Boston-based Microsoft Gold Certified Partner, helps large organizations manage their information technology (IT) user policies and endpoint security with solutions based on Microsoft products and technologies, including the Active Directory Domain Services (AD DS), Group Policy, and the Windows PowerShell command-line interface.
By using the Microsoft Security Compliance Manager and the Microsoft IT GRC Process Management Pack for System Center Service Manager—which leverages the IT Compliance Management Series—FullArmor was able to include functionality that evolved FullArmor PolicyPortal, a software-plus-services offering modeled using Microsoft Operations Framework (MOF) and built on top of the Windows Azure Services Platform that secures and manages remote endpoints, into an end-to-end security and compliance solution.
Situation
PolicyPortal was developed using unique technology that deploys Group Policy, the policy mechanism embedded in the AD DS environment that controls many security settings, to secure remote endpoints outside of AD DS to sales people, portable computers, remote users, and branch offices.
In 2008, FullArmor moved PolicyPortal to Windows Azure, a comprehensive Microsoft services platform for cloud computing. In doing so, the company developed a flexible, scalable solution that could be deployed easily and that its customers could access faster, benefitting from extended endpoint policy-management features.
Microsoft Operations Framework
FullArmor used MOF 4.0 to help design PolicyPortal. MOF 4.0 contains specific guidance that helps IT improve service quality while reducing costs, managing risks, and strengthening compliance. MOF defines the core processes, activities, and accountabilities required to plan, deliver, operate, and manage IT services throughout their life cycle. Specifically, FullArmor looked to the Planning for Software-plus-Services companion guide for guidance in developing its software-plus-services offering.
The Planning for Software-plus-Services guide helped FullArmor during the planning phase of its solution to look at things such as capability, configurability, scalability, and manageability—all aspects that were planned and built into PolicyPortal based on MOF recommendations.
The MOF guidance was particularly valuable to FullArmor because it provided visibility into functionality that was still missing in FullArmor’s solution. It highlighted areas that FullArmor’s IT group needed to address to create a sustainable operational framework model that would provide IT administrators with an end-to-end security, compliance, and remediation solution.
Unfortunately, the identified functionality that FullArmor needed to fill the gaps in creating its end-to-end compliance and security solution relied on technology that did not yet exist. Rather than scale up to tackle the creation of the technology required, FullArmor decided to wait and see what Microsoft would develop that they could integrate with their product.
Solution Accelerators
FullArmor IT was excited, then, when the Solution Accelerators Team previewed three new Solution Accelerators—the Security Compliance Manager, the Microsoft IT GRC Process Management Pack for System Center Service Manager, and the IT Compliance Management Series—to their partner community.
“I immediately recognized these new Solution Accelerators we had been invited to preview as the missing pieces of the puzzle that we had been waiting years for,” says FullArmor’s Chief Technology Officer (CTO) Danny Kim, a Microsoft MVP and recognized industry expert on Group Policy, AD DS, and Windows PowerShell scripting.
Microsoft Security Compliance Manager
Released in April 2010, the Security Compliance Manager is an end-to-end Solution Accelerator designed to help organizations plan, deploy, operate, and manage security baselines for Windows client and server operating systems and Microsoft applications. It provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate an organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.
The Security Compliance Manager also provides guidance and documentation incorporated into a new tool that enables access and automation of an organization’s security baselines in one centralized location.
Microsoft IT GRC Process Management Pack for System Center Service Manager
The Microsoft IT GRC Process Management Pack is, at the time of this writing, being hosted in the Service Manager beta program, which helps provide end-to-end compliance management and automation for client and server computers.
IT Compliance Management Series
This series, combined with the power of the Microsoft IT GRC Process Management Pack for System Center Service Manager, is designed to help IT workers, managers, and partners configure Microsoft products to address specific IT GRC requirements.
Solution
With the availability of the Solution Accelerators and using the System Center Service Manager 2010 back end, which performs incidence management, PolicyPortal can now not only evaluate compliance but also immediately remediate compliance issues.
PolicyPortal manages remote endpoints outside of AD DS by delivering Desired Configuration Management (DCM) packs and detecting compliance states. PolicyPortal consumes DCM data and applies it to roving endpoints using cloud-based services that extend the reach of the DCM baselines, bringing compliance to customers around the globe. From the DCM module, PolicyPortal generates an accompanying Group Policy object (GPO) that can be applied to remediate endpoints that drift from the baseline.
System Center Service Manager 2010 serves as centralized database that logs incidences to be resolved through remediation and provides all the compliance reporting that has to be done.
The Security Compliance Manager manages security and configuration baselines. From an integration standpoint, the tool generated a lot of excitement from FullArmor, as it provides the creation of DCM packs. Without the Security Compliance Manager, FullArmor would have had to develop a custom configuration management tool.
The Microsoft IT GRC Process Management Pack for System Center Service Manager enables compliance management, from the detection of a non-compliant configuration scenario to full remediation in the FullArmor solution.
By leveraging the available Solution Accelerators, PolicyPortal now offers a full, end-to-end compliance, security, and remediation life cycle with reporting capability that reflects the MOF framework after which it was modeled.
The Security Compliance Manager provides planning through the management and creation of DCM packs, which PolicyPortal then delivers and evaluates. PolicyPortal supports daily operations through an agent that detects an endpoint going out of compliance from the DCM baseline and uses associated GPOs to remediate it back into compliance.
The Security Compliance Manager restarts the cycle by allowing IT administrators to quickly adjust their baselines, modifying, updating, adding, or removing configurations based on feedback they receive from generated incidences.
Benefits
FullArmor noted several benefits of integrating the functionality of the Security Compliance Manager, the Microsoft IT GRC Process Management Pack for System Center Service Manager, and the IT Compliance Management Library.
Faster Time to Market
FullArmor’s ability to integrate rather than reinvent has reduced its research and development time-to-market. Its developers can focus on their core technology areas while still delivering a complete security solution.
Improved Automation
Before the release of the Solution Accelerators, when PolicyPortal detected a remote endpoint that was out of compliance, FullArmor had to monitor and report on the issue manually. Now, many of those functions are automated.
Immediate Remediation
Because each DCM has an accompanying GPO, remediation of an endpoint that has drifted out of compliance is immediate and automatic.
End-to-End Security Life Cycle
By pulling together the best-in-class technologies from Microsoft and FullArmor, PolicyPortal can deliver an end-to-end compliance and security life cycle from security baseline creation to industry compliance standards to remediation of the endpoint.
