Smarter Endpoint Management: Simplify Baseline Security Auditing and Compliance with IBM Tivoli

More endpoints, less security

Tivoli Beat. A weekly IBM service management perspective.

For organizations today, the need for comprehensive, flexible, and adaptive endpoint security has gone from "major" to "critical."

The number, nature, capabilities, and business utilization of endpoints (which now commonly include mobile devices like smartphones and tablets) have all rapidly escalated in recent years. And all too often, organizations have no effective way of managing the endpoint infrastructure to ensure that its business value is high, while the costs and risks it generates are low.

If you imagine an infrastructure of tens of thousands of different kinds of endpoints, and multiply that by the number of ways they all access business data and services, you get a sense of just how difficult endpoint security has really become.

Also consider that the organization's security policies need to support government regulations, such as HIPAA and the Sarbanes-Oxley Act, that specify how organizations should monitor and manage sensitive data over time.

Keeping endpoints in compliance can be remarkably difficult, particularly given the fact that endpoint configurations and software typically change more frequently with an increasingly mobile workforce.

IBM Endpoint Manager offers hyper-efficient baseline auditing and remediation

Fortunately, the endpoint management puzzle recently got a lot easier to solve with the advent of the IBM Endpoint Manager family. This offering provides a centralized, exceptionally efficient solution that organizations can use to accurately assess endpoint security—whether holistically, or for a specific endpoint or any group of endpoints—and make any changes necessary to improve security. And as a direct result of these capabilities, regulation compliance, too, becomes a much more straightforward matter.

"Because the agent is doing most of the actual work—not the management server—a single IBM Endpoint Manager server can typically support up to a quarter million endpoints. In this way, it functions as a truly centralized point of command—a single pane of glass to oversee even the largest, most diverse, and most distributed endpoint infrastructures."

How does the solution work? IBM Endpoint Manager enables organizations to create security baselines to meet their specific requirements. These baselines can be easily created by leveraging a library of over 5,000 best practice compliance settings that are included, out of the box, and tailoring them to meet the organization’s requirements.

This library provides support for standards such as the FDCC (Federal Desktop Configuration Control) and SCAP (Security Content Automation Protocol) standards. And specific regulations such as HIPAA can be supported by tailoring the baseline for the organization’s specific IT infrastructure and business processes. IBM Endpoint Manager also supports OVAL (the Open Vulnerability and Assessment Language), which specifically focuses on security capabilities and configuration.

Once the organization has created a security baseline, it’s time for the IBM Endpoint Manager intelligent agent to take over. The agent evaluates the settings and status of each endpoint, relative to the security baseline. In many cases, the agent can even automatically correct or remediate a condition on the endpoint to bring the endpoint into compliance with the security policy.

Subsequently, the agent reports the status of the endpoint back to the centralized management server. The management server, in turn, aggregates the information coming from all of the endpoints, and presents it via a clear, intuitive management console. Managers can use this console to ask and answer security-relevant questions such as: How many endpoints have X security patch? Which endpoints need a more recent version of Y middleware? What percentage of Windows-based endpoints has the latest firewall settings?

Based on the answers, automated or manual updates can be made to strengthen endpoint security. Additionally, the baseline itself may be updated to provide an even higher standard of security for all endpoints in the organization. And since the Endpoint Manager intelligent agent is continually monitoring the status of the endpoint for compliance with the baseline, any deviations can either be automatically corrected, or reported back to the centralized management server for additional action. For example, the agent can detect that a required patch is missing, and automate the action to download and apply that patch.

Because the agent is doing most of the actual work—not the management server—a single IBM Endpoint Manager server can typically support up to a quarter million endpoints. In this way, it functions as a truly centralized point of command—a single pane of glass to oversee even the largest, most diverse, and most distributed endpoint infrastructures.

Keep tabs on a changing network—and rapidly address rogue endpoints

Over time, as endpoint status and configurations change, the solution can also detect those changes—revealing to security managers how certain endpoints now deviate from the security policy, and also giving managers the power to reconfigure those endpoints properly. That's a real point of distinction compared to competing solutions, which often only assess security status but provide no direct and continuous method of security enforcement.

Should it be necessary for a particularly extreme case, IBM Endpoint Manager can also quarantine endpoints.

Suppose an endpoint's security configuration is so far out of specification with the security baseline that a network-driven reconfiguration or software provisioning process would be too slow to meet the organization's needs. In such a situation, Endpoint Manager can actually block the endpoint from conducting any network activity, effectively preventing it from causing harm until such time as it can be secured properly.

Even rogue endpoints that may have been added in an unauthorized or unexpected way by non-IT employees can be handled by the solution. Thanks to its discovery capabilities, those endpoints can be automatically found, then updated or reconfigured as needed to lock the endpoints down—fast—and render them as secure as necessary.

Support for vendor-independent security benchmarks

In the very near future, the solution will also be augmented to incorporate additional security best practices and standards.

For example: the security benchmarks created and maintained by the Center for Internet Security (CIS) (link resides outside of, a trusted independent advisor on security topics.

These benchmarks have been jointly developed by leading security experts from the private sector, government agencies, and academic experts and are already in widespread use in Europe and other areas around the globe. Beyond any particular vendor's insights, they offer a true consensus perspective—the best practices that have been repeatedly proven in many different environments and business contexts to improve organizational security in a proactive, rapid, and effective manner.

Over time, IBM intends to enhance Endpoint Manager to support a growing number of the CIS benchmarks. And, of course, as new benchmarks emerge they will be gradually added to the product.

Additional information

Recent Articles

Contact IBM

Considering a purchase?

Pulse Comes to You


Pulse Comes to You (PCTY) 2012 delivers the experience, value, and education of Pulse 2012 around the world with local events. IBM Executives and Industry Leaders will share how Integrated Service Management can deliver the Visibility Control Automation™ needed to deliver differentiated services and build competitive advantage on a Smarter Planet.

Find cities and dates

Featured community


Leverage and contribute to the collective wisdom around Tivoli

Engage the community