Tuesday, May 20, 2008

The Future of Desktop Security - Part 3 - Desktop Policy Management and Administration

In Part 3 of this series, I have presented enterprise desktop security which incorporates both traditional anti-virus, anti-malware features as well as desktop policy management, foresics, desktop lockdown and license control. I would like to make the argument that IT managers should focus solely on corporate desktop policies - devising, administering and enforcing compliance. There is a need to separate policies from execution.

Policy administration should be as simple as defining it in plain text or in spreadsheets. Security software should enforce these policies automatically. Reports and dashboard should be built into these softwares which should report the compliance. In the enterprise business application market, several Business Process Management (BPM) companies have taken this policy management approach and have been successful with it. They call it business rules and several BPM vendors offer solutions catering to this approach (Evelson, 2008).

Once Bitten, Twice Shy?
Today, corporate IT security managers focus their priorities incorrectly. They focus on detailed policy execution rather than on simple policy orchestration. Having bitten by past anti-virus failures such as exposure to zero-day viruses, these managers are naturally paranoid about enforcing stricter security even if it comes at the cost of decreased flexibility. In many enterprises, IT is centralized with the sole notion of providing robust security. I feel this thinking is fundamentally flawed. In the balance between IT centralization versus de-centralization, IT security swings the pendulum unfairly towards centralization. The question then becomes, whether IT policies themselves can be decentrlaized and yet have a safe security policy? The answer is yes as new technologies are emerging that can exclusively cater to this.

To an IT security manager, the notion of authorizing “benign programs” exclusively is appealing. For example, policies such as the ones below should be the ones that IT security managers (in an ideal world) concern themselves with. Everything else is a matter of detail.

Example of Corporate Policies:
“Employees should not attach unauthorized external devices to corporate systems”
“Employees should not run personal MP3s and videos from corporate systems”
“Employees should not run unauthorized programs on corporate networks”

You might be wondering, if simple administration such as these are even possible? After all, most IT security managers spend the bulk of their effort exactly doing the opposite. Do such technologies exist today where IT security managers can free themselves from the mundane administration and prevention work and focus their energies instead on top-level policy and decision making on behalf of the company? In part four of this series, I have covered a list of softwares that do policy based administration and automation.

Granular Policy Management
Obviously, policy management needs to be flexible. One can envision layers of policies - a corporate wide policy management at the top layer whereby policies that are unique across the organization can be enforced. An example of a regional security policy can be:
"Computers deployed for call center purposes should not allow personal emails and/or Instant Messenger."

One can extend this analogy all the way to team level and further to individual policies. The following diagram illustrates this notion.

In the area of IT security management, there definitely exists an overlap between Desktop Asset Management and Configuration Management tools and softwares. In my opinion, this is one area that will be hotly contested by traditional vendors such as Novell Zenworks, Microsoft SMS and newly contesting players such as Bit9, DriveSentry etc.

Desktop Lockdown

Locking down or hardening the system refers to a configuration of the system such that it prevents unauthorized software from being installed on the desktop/laptop while not imposing such a restriction on legitimate software. There are a variety of reasons for locking down desktops - improving security and stability, reducing help desk noise, licensing loss, compliance and regulation are some of the chief reasons.

As I said earlier, IT security managers are concerned about giving admin rights to individual users within the organization. By denying individual users the admin rights, IT managers prevent a variety of unauthorized software installation and configuration changes on the desktop/laptop. However, the battle is only half won. Such a centralized co-ordination means loss of flexibility. Individual users are forced to raise trouble tickets to make minor modifications or to install legitimate software (that are actually whitelisted by the corporation), wait for the IT to install them. This translates into frustration for the user and productivity loss for the company.

An alternative solution is to provide software based "lock down". By combining lock down with granular policy management and whitelisting, corporates can bring the balance between flexibility and control. Thus, a locked down PC, for example allow an user to install a whitelisted software (note: this might require admin rights), while denying the installation of products in gray and/or black list.