Securing the enterprise desktop is more complicated and costly than ever, challenging not only small and medium-sized businesses, but also larger enterprises contending with today's security threats. Many IT decision-makers are considering whether to outsource their desktop security in order to save money, improve protection and have access to specialized expertise.
But outsourcing security is not without risks. The stability and trustworthiness of Security as a Service (SaaS) providers often come into question, as does their ability to protect an organization's data.
Desktop protection challenges
Desktop protection is no small matter. IT must defend against numerous types of attacks that can result in lost or compromised sensitive data, performance degradation or inoperable systems.
Such protection requires a number of routine tasks, such as installing and maintaining antivirus and antispyware software and ensuring that their accompanying dictionaries are being updated.
In addition, desktop administrators must regularly scan systems for infection and vulnerabilities, manage desktop firewalls, and update security patches. IT pros must also analyze log data, filter email messages for spam and malware, monitor activity and manage alert notifications.
Admins must provide round-the-clock vigilance against attacks that are constantly changing and becoming increasingly sophisticated, while adhering to company policies and complying with regulations such as the Sarbanes-Oxley Act. And if any security problems do arise, they must be ready to act immediately.
Enterprise desktop protection requires a highly trained and experienced staff whose primary responsibility is to implement an endpoint device management strategy. Such staffers are on call day and night and must stay abreast of new threats to protect the corporate network and desktops. In addition, they must proactively manage and monitor systems on an ongoing basis.
Few small and midsize businesses have the resources to maintain the dedicated staff necessary to protect their systems, leaving the organization underdefended against the onslaught of worms, Trojan horses, denial-of-service attacks and other menaces.
Yet even larger enterprises might be hard-pressed to come up with the dedicated staffs needed to protect their systems. In-house personnel means salaries, payroll taxes and benefits, along with the training required to stay current on security issues. The full costs of such a staff, when combined with the expense of software licenses and other outlays, can total much more than many managers are willing to pay, particularly when they know that outsourcing capabilities are waiting in the wings.
Even if an organization can afford to allocate the resources for such a specialized staff, finding qualified individuals has become increasingly difficult. This is a common complaint throughout the industry and has forced IT to look outside their organizations for security expertise. Yet even the right personnel have a tough time protecting against attacks that arrive as soon as a desktop security flaw is discovered.
Security as a Service risks to the enterprise
Despite potential cost savings, outsourcing can be risky, especially if the service provider is not financially stable. A service provider that goes out of business can spell disaster for the company that outsources to that provider.
Desktops, for example, might no longer be scanned for vulnerabilities or the virus dictionaries updated. Confidential data might also be compromised if an organization's email resides on a SaaS provider's servers. Who has access to those servers if the service provider suddenly goes out of business? Is data still being protected at that point? And how will the customer's employees send and receive email?
More about enterprise desktop security strategies
Popular Windows desktop security tips
How to use Group Policy settings to lock down enterprise desktops
Desktop security threatened by the rise of Java and fileless malware
App sandboxing enables security software to proactively protect desktops
So-called supercookies change the rules for tracking and security
Demand catching up with Desktop as a Service offerings
A service provider's trustworthiness might also be brought into question. Who are the people who work for that provider? Have background checks been performed? Have references been verified? All it takes is one rogue employee to create a great amount of upheaval.
If, for example, a disgruntled employee has administrative privileges to the customer's desktops, he or she could do significant damage before being detected. An organization that outsources its security is relying on the service provider to vet its workers with the same diligence the organization would use in hiring its own employees. Anything less could end up a very costly compromise.
Even if an organization trusts the service provider, that organization is still at the mercy of the provider to have processes that fully protect the organization's systems and its data. How does the service provider grant access to resources? How do they protect against unauthorized access to the enterprise's resources?
No company would want to do business with a service provider that's careless with passwords or network permissions. But it can be difficult to discover details about the SaaS provider's inner workings until it's too late. The same is true for how the service provider handles the customer's secure data. Can their employees share it, copy it or print it? Even the most sophisticated desktop security technology and expertise cannot protect against sloppiness.
If your organization is considering outsourcing management of endpoint security, being aware of the risks can avoid headaches later on. A careful approach to Security as a Service and desktop outsourcing risks could help many organizations looking to cut costs and better protect their desktops. My next article will examine these potential benefits.
This was first published in September 2013