When considering an organization’s IT security, people tend to think too exclusively about firewalls and virus-guards – about guarding the borders, not what is within them. This can be a little short-sighted.
Suppose a worker uses an app that, by default, stores its data in an insecure location. If this application is already approved to be within that application estate, the likelihood is that the worker will be able to continue storing his data insecurely.
In a 2010 document, the Australian Defense Signals Directorate (DSD) outlined what it saw as the top four actions required to ensure security in an IT system:
- Patching operating systems and applications using auto-updates
- Patching third-party applications
- Restricting admin privileges to users who need them
- Whitelisting approved applications.
Three out of the four points aren’t about security per-se; they’re simply about good systems management – an oft-forgotten but vital activity.
Ensuring Appropriate Systems Management
After virus-guards and firewalling the next most obvious security issue is patching.
Generally, using traditional SCCM models, patching across a medium-to-large organization requires numerous distribution points. In a large, global organization this can lead to major costs. Traditional patch distribution models also tend to be quite bandwidth-hungry, which can risk either disruption to business or, again, major capital outlay.
However, patching is only a small part of the bigger issue. The vast majority of businesses have little idea of the number or type of applications in their application estate. A business cannot whitelist apps if it is unaware what apps it has. If you don’t know which apps you have, you are left totally unaware of the harm they could be doing and the data they could be sharing. For example, storing confidential data in the cloud, or allowing users to externalize unapproved data.
Patch, Audit, Maintain
The first solution is to ensure you have an appropriate mechanism in place for patching your various systems. Ideally any such solution should compensate for the key issues of bandwidth and infrastructure cost.
One example is to use a single patch image delivered across each WAN, which is then distributed in a peer-to-peer manner. This system effects dynamic bandwidth throttling in order to eliminate competition between IT and business traffic, and a high level of automation minimizes the need for manual intervention and desk-side visits.
In terms of understanding what apps are actually in your estate, auditing can provide a direct view of the software installed and active across the enterprise and removes the need for any guesswork. One issue in larger enterprises is the extent of the (often geographically dispersed) IT estate that needs to be audited, so using an approach that is highly automated will make the best use of IT worker resource.
Once an audit has been undertaken, a whitelist can be established and an automated process put in place to ensure that only whitelisted applications can be downloaded and to remove blacklisted applications. (As an added bonus of the auditing process, should your auditing software take account of actual app usage, businesses can then remove or redeploy licenses for unused apps, saving significant amounts of money).
That said, in terms of whitelisting, it’s unrealistic to think a business can have total control over the apps a user will and will not use. If a user wants a particular app they will most likely find a way of downloading it, or else download it or something similar to a personal device.
The starting point for tackling this is obviously education. Businesses need to explain to their employees in-depth what their security policies are, and why they are implemented.
Another route is to offer a wide array of pre-whitelisted applications to your employees via an enterprise app store. Given the general consumerization of IT, and the experience of most employees with consumer app stores, it makes sense to give them a choice while making available to them all the productivity tools they need.
Beyond the obvious cost savings and operational efficiencies, IT security is just one more reason why IT decision-makers should be patching, auditing and maintaining their application estates properly, and ensuring good overall systems management. Far from being a subsidiary issue, when it comes to system security, good system management is key.
About the Author
Sumir Karayi founded 1E in 1997 with the goal to drive down the cost of IT for organizations of all sizes by identifying and eliminating IT waste. Sumir pioneered PC power management, and leads 1E’s focus on enabling enterprises to Run IT For Less and has established a market-leading role for his company.