Customer Solution Case Study

FullArmor Integrates Microsoft Solution Accelerators into PolicyPortal

OverviewCountry or Region: United StatesIndustry: Education, Financial Services, Government, Healthcare

Customer ProfileFullArmor provides software and services to large organizations such as Boeing, the Federal Bureau of Investigation, Eli Lilly, Wal-Mart, and Bank of America and has a customer base of more than 5 million users and 1,500 organizations worldwide.

Business SituationFullArmor used MOF, a Microsoft Solution Accelerator, to plan the development of a software-plus-services offering that supported a full IT operations framework. FullArmor wanted to expand its offering to create an end-to end security and compliance solution.

SolutionFullArmor adopted three additional Solution Accelerators—including the Security Compliance Manager—integrating the Microsoft-provided tools and technology with its product to create an end-to end security and compliance solution.

Benefits Improved automation Immediate remediation Faster to market End-to-end security life cycle

“By acting as an early adopter to emerging technologies in the Microsoft and Microsoft Partner ecosystem, we have been able to stay agile and innovate, generating much success in our solution delivery offerings.”

—Danny Kim, CTO, FullArmor

FullArmor Corp., a Boston-based Microsoft Gold Certified Partner, helps large organizations manage their information technology (IT) user policies and endpoint security with solutions based on Microsoft products and technologies, including the Active Directory Domain Services (AD DS), Group Policy, and the Windows PowerShell command-line interface.

By using the Microsoft Security Compliance Manager and the Microsoft IT GRC Process Management Pack for System Center Service Manager—which leverages the IT Compliance Management Series—FullArmor was able to include functionality that evolved FullArmor PolicyPortal, a software-plus-services offering modeled using Microsoft Operations Framework (MOF) and built on top of the Windows Azure Services Platform that secures and manages remote endpoints, into an end-to-end security and compliance solution.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

SituationPolicyPortal was developed using unique technology that deploys Group Policy, the policy mechanism embedded in the AD DS environment that controls many security settings, to secure remote endpoints outside of AD DS to sales people, portable computers, remote users, and branch offices.

In 2008, FullArmor moved PolicyPortal to Windows Azure, a comprehensive Microsoft services platform for cloud computing. In doing so, the company developed a flexible, scalable solution that could be deployed easily and that its customers could access faster, benefitting from extended endpoint policy-management features.

Microsoft Operations FrameworkFullArmor used MOF 4.0 to help design PolicyPortal. MOF 4.0 contains specific guidance that helps IT improve service quality while reducing costs, managing risks, and strengthening compliance. MOF defines the core processes, activities, and accountabilities required to plan, deliver, operate, and manage IT services throughout their life cycle. Specifically, FullArmor looked to the Planning for Software-plus-Services companion guide for guidance in developing its software-plus-services offering.

The Planning for Software-plus-Services guide helped FullArmor during the planning phase of its solution to look at things such as capability, configurability, scalability, and manageability—all aspects that were planned and built into PolicyPortal based on MOF recommendations.

The MOF guidance was particularly valuable to FullArmor because it provided visibility into functionality that was still missing in FullArmor’s solution. It highlighted areas that FullArmor’s IT group needed to address to create a sustainable operational framework model that would provide IT administrators with an end-to-end security, compliance, and remediation solution.

Unfortunately, the identified functionality that FullArmor needed to fill the gaps in creating its end-to-end compliance and security solution relied on technology that did not yet exist. Rather than scale up to tackle the creation of the technology required, FullArmor decided to wait and see what Microsoft would develop that they could integrate with their product.

Solution AcceleratorsFullArmor IT was excited, then, when the Solution Accelerators Team previewed three new Solution Accelerators—the Security Compliance Manager, the Microsoft IT GRC Process Management Pack for System Center Service Manager, and the IT Compliance Management Series—to their partner community.

“I immediately recognized these new Solution Accelerators we had been invited to preview as the missing pieces of the puzzle that we had been waiting years for,” says FullArmor’s Chief Technology Officer (CTO) Danny Kim, a Microsoft MVP and recognized industry expert on Group Policy, AD DS, and Windows PowerShell scripting.

3

“We found MOF very helpful in planning the development of our software-plus-services offering. It not only offered specific guidance around things like availability, configurability, and scalability, it actually helped us identify what was still missing.”

—Danny Kim, CTO, FullArmor

Microsoft Security Compliance ManagerReleased in April 2010, the Security Compliance Manager is an end-to-end Solution Accelerator designed to help organizations plan, deploy, operate, and manage security baselines for Windows client and server operating systems and Microsoft applications. It provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate an organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies.

The Security Compliance Manager also provides guidance and documentation incorporated into a new tool that enables access and automation of an organization’s security baselines in one centralized location.

Microsoft IT GRC Process Management Pack for System Center Service Manager The Microsoft IT GRC Process Management Pack is, at the time of this writing, being hosted in the Service Manager beta program, which helps provide end-to-end compliance management and automation for client and server computers.

IT Compliance Management SeriesThis series, combined with the power of the Microsoft IT GRC Process Management Pack for System Center Service Manager, is designed to help IT workers, managers, and partners configure Microsoft products to address specific IT GRC requirements.

SolutionWith the availability of the Solution Accelerators and using the System Center Service Manager 2010 back end, which performs incidence management, PolicyPortal can now not only evaluate compliance but also immediately remediate compliance issues.

PolicyPortal manages remote endpoints outside of AD DS by delivering Desired Configuration Management (DCM) packs and detecting compliance states. PolicyPortal consumes DCM data and applies it to roving endpoints using cloud-based services that extend the reach of the DCM baselines, bringing compliance to customers around the globe. From the DCM module, PolicyPortal generates an accompanying Group Policy object (GPO) that can be applied to remediate endpoints that drift from the baseline.

System Center Service Manager 2010 serves as centralized database that logs incidences to be resolved through remediation and provides all the compliance reporting that has to be done.

The Security Compliance Manager manages security and configuration baselines. From an integration standpoint, the tool generated a lot of excitement from FullArmor, as it provides the creation of DCM packs. Without the Security Compliance Manager, FullArmor would have had to develop a custom configuration management tool.

The Microsoft IT GRC Process Management Pack for System Center Service Manager enables compliance management, from the detection of a

4

“By participating as early adopters, Partners like FullArmor are given the opportunity to provide feedback to Microsoft about what features they want to enable. This valuable relationship helps Microsoft build tools, make improvements, and . . . take into consideration the needs of the larger Partner community. Ultimately, it enables Microsoft to build the products and tools that meet their Partners’ needs.”

—Vlad Pigin, PM,Microsoft Solution Acclerators Team

non-compliant configuration scenario to full remediation in the FullArmor solution.

By leveraging the available Solution Accelerators, PolicyPortal now offers a full, end-to-end compliance, security, and remediation life cycle with reporting capability that reflects the MOF framework after which it was modeled.

The Security Compliance Manager provides planning through the management and creation of DCM packs, which PolicyPortal then delivers and evaluates. PolicyPortal supports daily operations through an agent that detects an endpoint going out of compliance from the DCM baseline and uses associated GPOs to remediate it back into compliance.

The Security Compliance Manager restarts the cycle by allowing IT administrators to quickly adjust their baselines, modifying, updating, adding, or removing configurations based on feedback they receive from generated incidences.

BenefitsFullArmor noted several benefits of integrating the functionality of the Security Compliance Manager, the Microsoft IT GRC Process Management Pack for System Center Service Manager, and the IT Compliance Management Library.

Faster Time to MarketFullArmor’s ability to integrate rather than reinvent has reduced its research and development time-to-market. Its developers can focus on their core

technology areas while still delivering a complete security solution.

Improved AutomationBefore the release of the Solution Accelerators, when PolicyPortal detected a remote endpoint that was out of compliance, FullArmor had to monitor and report on the issue manually. Now, many of those functions are automated.

Immediate RemediationBecause each DCM has an accompanying GPO, remediation of an endpoint that has drifted out of compliance is immediate and automatic.

End-to-End Security Life CycleBy pulling together the best-in-class technologies from Microsoft and FullArmor, PolicyPortal can deliver an end-to-end compliance and security life cycle from security baseline creation to industry compliance standards to remediation of the endpoint.

5

For More InformationMicrosoft Solution AcceleratorsSolution Accelerators are tools and guidance that help solve deployment, planning, and operational IT problems. They are provided free of charge and fully supported.

For more information about Microsoft Solution Accelerators, go to: www.microsoft.com/solutionaccelerators

For more information about the Security Compliance Manager, go to: http://www.microsoft.com/scm

For more information about Microsoft Operations Framework, go to: www.microsoft.com/mof

For more information about the Microsoft IT GRC Process Management Pack for System Center Service Manager, go to: http://go.microsoft.com/fwlink/?LinkId=199860

For more information on the IT Compliance Management Series, go to: www.microsoft.com/itcms