santiago silver - Fotolia
What's the best way to address the growing diversity of my corporate desktops so that I know, at any given time, how secure all of the systems on my network really are?
Traditional enterprise networks that used to be 100% Windows are quickly evolving into more diverse sets of Windows (both old and new), Linux and Mac OS X. This is something that's affecting organizations both large and small, and this aspect of endpoint management is taking a lot IT and security managers by surprise.
In fact, I recently had a client ask how he should manage the deluge of non-Windows-based systems infiltrating his network ever since a new business unit manager was hired and has since encouraged his staff members to acquire the latest and greatest laptops from Apple.
What can happen is sensitive business information that used to be protected by Group Policy, full disk encryption, patch management systems and the like is now being stored and processed on systems that have zero security controls. Sure it's a seemingly insurmountable issue that's easy to turn a blind eye to, but that doesn't make the security risks go away or regulators look at the issue any differently.
This challenge is really an extension of bring your own device (BYOD) policies. People are going to use whatever endpoint devices they want to get their jobs done, especially if management ignores endpoint security policies and standards. How someone who is responsible for IT security prevent things from getting out of hand? Here are my suggestions:
- Make sure that management is on board with determining the risks of these nontraditional systems and then doing whatever is reasonable to minimize those risks.
- Develop proper standards and BYOD policies to ensure that all the big areas are being addressed, including passwords, full disk encryption, audit logging, patching (especially third-party patches) and vulnerability testing.
- Implement the necessary technical controls to keep things in check, which could include technologies such as mobile device management, cloud-based file sharing, data loss prevention and managed third-party client extensions for Active Directory.
This is arguably one of the greatest risks in enterprise security today. Don't ignore endpoint management and hope the problem goes away. Being proactive is the only reasonable approach.
Conduct an information risk assessment before rolling out a desktop security policy
Good standards can force focus on Windows desktop security
Endpoint management tools realize the dream of unified device management
Point-of-sale security breaches offer endpoint management lessons
Desktop admins should be able to answer these malware detection questions
Protecting enterprise desktops gets easier with Microsoft Security Compliance Manager
Dig Deeper on Endpoint security management tools
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading