When the 19th annual Software and Information Industry Association’s Codie Awards are announced on May 18 in San Francisco, Configuresoft’s Enterprise Configuration Manager (ECM) may be one of the winners. Already named a finalist in the best Systems Management Solution category (it was selected from a field of more than 800 entries), the ECM product offers a great way to configure and secure the networks of large, complex organizations.
Configuresoft, Inc. is headquartered just outside Colorado Springs and employs some of the original founders of Mission Critical Software (which merged with NetIQ) and some of the original developers of Microsoft Operations Manager. Boasting seven of the top 25 Fortune companies as customers, Configuresoft’s core products are ECM and Security Update Manager (SUM). One of the largest customers using this scalable product has 4,700 servers and nearly 75,000 workstations.
TechRepublic recently spoke to Randy Streu, vice president of product management at Configuresoft. As Streu explained, studies from Carnegie-Melon and Gartner show that 80 percent of outages and 90 percent of security beaches are due to misconfigurations. And 100 percent of these problems come as surprises because IT has no current capabilities for continuous configuration management. The solution was to implement a product that is wholly focused on true configuration management, which gives the IT manager unprecedented knowledge, command, and control over the Windows environment. ECM is currently Windows-only, but the plan is to take it cross-platform at the end of Q3 this year.
According to Streu, the ECM product benefits everyone from IT managers (enabling operations and security oversight, asset management, and licensing management) to network administrators (ECM, with its SUM add-on module, will automatically find and deploy patches). With its robust structure, it can streamline the processes for reporting and analysis, standardization and compliance, change management, and power administration. “ECM’s Compliance module allows an organization to manage configuration drift by modeling what they want their machines to look like in a template. This way, they can easily detect what’s been added, and take steps to reverse those changes,” Streu said.
The business benefits of ECM include:
- Lower total cost of ownership (you correct configuration problems before they result in security breaches or downtime).
- Centralized control and visibility (you can track planned and unplanned changes to machines, make changes, and manage projects).
- Enforced compliance to any number of standard configurations.
ECM increases security with:
- Centralized Vulnerability Assessments (i.e., which machines are vulnerable to certain types of attacks).
- Monitoring for unwanted changes (unapproved software downloads by users).
- Centralized Event Log consolidation and audit.
How it works
ECM’s central machine collects 20,000 to 80,000 data points from every machine it manages, then puts that data into a central SQL 2000 database. This gives the IT shop a central asset and security database that it can use for reporting and analysis, compliance, standardization, change management, and power administration capabilities. “For every machine that we want to manage, we push out a DCOM (Distributed Component Object Model) to that box by default. It’s a hybrid agent approach because we send an executable over to the machine, but it lies dormant on disk, not taking up CPU or RAM until the collector wakes it up.” IT can wake up the remote process using the DCOM protocol and instruct it to collect data and/or make changes, then shut it right back down. This lets you get the benefits of distributed computing without the overhead of having a process run all the time.
Streu explains, “The first time I talk to a machine, I baseline it or snapshot it. I compress that, encrypt it, and send it across the wire, and I stuff all that data into the database. The next time I go back and talk to that machine, I wake the DCOM component up and ‘ask’ what’s different about it since the last time we ‘talked.’ It does the delta calculation over there, and I shut it right back down. It sends a tiny bit of data back to me. This is what lets us scale across thousands of machines and lets us see the configuration drift that’s happening.” Configuration drift is the kind of thing that causes help desk tickets and downtime.
The kind of data that is collected includes general asset information, such as the manufacturer, the BIOS revision, and the type of machine (e.g., a Dell laptop). It can also collect the entire registry from a machine, all its running processes, all the files on the box, all the security data, etc. The architecture of ECM also allows IT to run thousands of data reports off the database without hitting the network.
ECM also addresses the issue of compliance. It offers the ability to create a set of rules that define what your standards are. They’ve canned many of the SANs and Microsoft security guidelines for you, but you can also create your own. When you run the rules, ECM will point you to non-compliant machines and allow you to put them into compliance simply by highlighting the data and clicking Enforce.
ECM 4.5 offers some new features, including:
- Automated compliance enforcement (not only shows you where a machine is out of compliance, but can put it back into compliance when you schedule it to).
- Compliance Benchmarking Wizard (ability to shake out differences between machines).
- Enhanced Compliance engine.
- HTTP-enabled communications.
- ECM dashboard (introduces “configuration at a glance”).
- New data sources (deeper NTFS permissions data, including Audit settings).