Tripwire predicts end to onerous audits

Change management software specialist claims new suite offers "continuous compliance"

Tripwire has predicted that compliance audits could become less onerous and even less frequent following today’s unveiling of the latest version of its change management software suite.

The company said that the new Enterprise 7 suite will be available from next month. It features enhanced functionality capable of providing firms with real-time data on the configuration and compliance status of their IT systems that will allow them to attain " continuous compliance" with internal and external policies and regulations.

Paul Gostick, marketing manager for Europe at the company, said that the integration of Tripwire's existing change management capabilities with new configuration assessment functionality – capable of monitoring a firm's IT systems against a compliant "baseline" state – means the suite can inform managers in real-time if their systems are compliant and whether or not an IT change would lead to a policy breach.

"What this functionality gives you is information that allows you to achieve continuous compliance," Gostick said. "The problem with the current audit-based approach to compliance with regulations such as PCI [payment card industry security standard] and SOX [Sarbanes-Oxley] is that it is matter of fact and after the event. Continuous compliance information helps you to prevent compliance breaches in the first place and avoid what has become known as the ‘TK Maxx incident’."

As well as reducing the risk of compliance and data breaches, Gostick argued that automated compliance management suites, such as Tripwire's, can also reduce the cost and frequency of both external and internal IT audits.

"In reality, governance practices mean that third-party audits will have to continue," Gostick admitted. "But what these systems do mean is that audits be co me far simpler because you have an automated audit trail, which means the cost will go down. Over time, as this technology is more widely deployed, we could see fewer audits being required."

Industry experts agreed that automated change and IT management systems are becoming an essential element of large firms' compliance strategies. Kosten Metreweli, vice-president of marketing and alliances at datacentre management software specialist Tideway Systems, agreed that compliance audits could soon be impossible without automated system monitoring and management capabilities. "We are approaching a point where compliance is so complicated it cannot be attained without a degree of automation," he said. "The manual cost of audits is getting prohibitive and, indeed, the scale of IT infrastructures means it is starting to become impossible to undertake accurate audits manually."

Blair Kantolinna, business development manager for Europe at IT management software vendor BMC, added that management software solutions had now matured to a stage where such automation was relatively easy to deploy.

"It used to be possible [to automate much of your IT compliance], but it required a massive integration effort between the component level management systems and the high-end process management systems," he explained. "What has changed in the last three years is that there is a far greater level of integration between the different parts of the management stack, which enables automation out the box."

However, Struan Robertson of law firm Pinsent Masons argued that although automated change management systems have a useful role to play in enhancing firms' compliance processes – reducing the risk of legal breaches and speeding up compliance audits – it is wrong for firms to see them as a "silver bullet", and argued that they are unlikely to limit the frequency of audits.

"Compliance isn't always a binary test, and software will struggle with leg al nuances," Robertson said. "For example, software can aid compliance by stopping someone installing software on an office computer, or it can determine whether a financial report has been filed on time. But it's less effective at determining whether a company complies with data protection rules on the collection and transfer of personal information, or FSA rules on anti-money laundering procedures."

Gostick admitted that while Tripwire's suite would help firms monitor whether or not they are compliant, it could not make them compliant and, as a result, firms deploying the system may also have to undertake process changes to attain regulatory compliance.

In addition to the new compliance monitoring capabilities, Tripwire Enterprise 7 also features enhanced network management functionality that can automatically "roll back" unauthorised changes at the network device level.

Gostick added that integration with IT management software from vendors including BMC, IBM and HP means that users can also use the new suite to help reverse unauthorised changes to applications and systems higher up the IT stack.

The vendor also announced plans to extend its support for configuration management databases (CMDBs), including tighter integration, due in a few months, between Tripwire's technology and BMC Atrium 2.0 CMDB, HP Universal CMDB and CA CMDB.

"The current prediction from Gartner is that 70 percent of CMDB deployments will fail because of problems with the integrity of the data kept in the repository, " said Gostick. "Integrating the CMDB with our ability to monitor system changes against a compliance baseline means firms will be able to ensure the integrity of the information."