IT security and compliance are at the top of everyone’s agenda right now, and for good reason. The news over the past year seemed to be all about companies being breached in every industry.
These are hardly new problems, and any responsible company has been investing in IT security and compliance for a long time. The problem is that the environment has changed, and the way the IT industry addresses security and compliance has not kept up.
In particular, there are a number of distinctions and disconnections that are more of a product of technology and process limitations than real differences in approach. “Patching”, “security” and “compliance” are often seen as distinct activities, implemented with different tools and sometimes even under different teams. At their core, though, all of them share the same characteristics and requirements. In the same way, the reasons behind these different activities may vary – some things are done as best practices, while others are mandated from outside – but the process is not that different.
There is a certain state that we need to work towards, there is the real world which is always some distance away from that desired state, and there is the plan to get to the desired state or at least close as possible.
This all seems very simple, but the problem we have – the reason why the last year was a never-ending parade of bad IT security news – is that this seemingly simple process has become disconnected. As IT became more complex, security had to become a full-time job. Today, dedicated infosec teams have become isolated from IT operations, and there is a communications gap between them. The two teams use different processes and even different tools, and all too often communication between them falls into the SecOps Gap.
Today, BMC and Qualys announce a new partnership to close the SecOps gap. Qualys is a great tool for vulnerability assessment, and infosec teams love it. In turn, BMC BladeLogic is a great tool for IT operations, and sysadmins love it. The problem is the communication between those two teams all too often was limited to emailing ten-thousand-line spreadsheets around. This is not ideal for anyone – so instead we built a SecOps Portal where users can see the current state of their environment at a glance, combining information from both Qualys and BladeLogic, and trigger automated actions to resolve vulnerabilities and document what has been done.
This unified approach gives everyone what they need. Response time to vulnerabilities is accelerated enormously, while fixes (whether patches or configuration changes) are deployed in a controlled manner without disrupting users of those systems.
We have been using this approach with some early adopters for some time now (BMC and Heartbleed Create New Security/Ops Software Class) and we are now ready to announce it more widely.
To request more information, please fill in the form at www.bmc.com/CloseSecOpsGap.
Let’s work together to make the security news in 2015 very boring indeed!
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.