Policy administration should be as simple as defining it in plain text or in spreadsheets. Security software should enforce these policies automatically. Reports and dashboard should be built into these softwares which should report the compliance. In the enterprise business application market, several Business Process Management (BPM) companies have taken this policy management approach and have been successful with it. They call it business rules and several BPM vendors offer solutions catering to this approach (Evelson, 2008).
Once Bitten, Twice Shy?
To an IT security manager, the notion of authorizing “benign programs” exclusively is appealing. For example, policies such as the ones below should be the ones that IT security managers (in an ideal world) concern themselves with. Everything else is a matter of detail.
Example of Corporate Policies:
“Employees should not attach unauthorized external devices to corporate systems”
“Employees should not run personal MP3s and videos from corporate systems”
“Employees should not run unauthorized programs on corporate networks”
You might be wondering, if simple administration such as these are even possible? After all, most IT security managers spend the bulk of their effort exactly doing the opposite. Do such technologies exist today where IT security managers can free themselves from the mundane administration and prevention work and focus their energies instead on top-level policy and decision making on behalf of the company? In part four of this series, I have covered a list of softwares that do policy based administration and automation.
Granular Policy Management
One can extend this analogy all the way to team level and further to individual policies. The following diagram illustrates this notion.
Locking down or hardening the system refers to a configuration of the system such that it prevents unauthorized software from being installed on the desktop/laptop while not imposing such a restriction on legitimate software. There are a variety of reasons for locking down desktops - improving security and stability, reducing help desk noise, licensing loss, compliance and regulation are some of the chief reasons.
As I said earlier, IT security managers are concerned about giving admin rights to individual users within the organization. By denying individual users the admin rights, IT managers prevent a variety of unauthorized software installation and configuration changes on the desktop/laptop. However, the battle is only half won. Such a centralized co-ordination means loss of flexibility. Individual users are forced to raise trouble tickets to make minor modifications or to install legitimate software (that are actually whitelisted by the corporation), wait for the IT to install them. This translates into frustration for the user and productivity loss for the company.
An alternative solution is to provide software based "lock down". By combining lock down with granular policy management and whitelisting, corporates can bring the balance between flexibility and control. Thus, a locked down PC, for example allow an user to install a whitelisted software (note: this might require admin rights), while denying the installation of products in gray and/or black list.