Anyone tasked with deciding how best to secure an enterprise's desktops is faced with a range of choices and products. Among the key questions, does the best strategy demand the use of a multifunction security suite, or cobbling together a custom set of applications, each mitigating a particular risk? In this tip, we'll look at the top desktop security management issues in order to determine which is the right choice for your enterprise.
The value of desktop security suites
As the attack surface of the enterprise desktop has increased over the last few years, so has the number of features offered by the major security vendors in their desktop security suites. The product sets have grown to include not just the standard antivirus and antispyware protection, but features such as antispam control, behavior-based malware detection and host intrusion prevention. More features, however, always mean more configuration options and signature updates. While using a multifunction security suite to keep desktops secure has become more complex, it's never been more critical to ensure that all of a suite's components are managed correctly.
In making the case for desktop security suites, the centralized and automated desktop management capabilities they offer not only save time and resources, but can also reduce a window of exposure dramatically, as during a security incident there is only one application and one interface for administrators to grapple with. For example, the reason given by many admins for choosing McAfee Inc.'s suite, is that its single-agent; single-console ePolicy Orchestrator reduces the complexity of maintaining security product policies. Similarly, Symantec Corp. has addressed this critical issue with the release of the Endpoint Management Suite. It combines endpoint protection, asset inventory discovery, configuration management and automated patch management into a central management platform. For those considering a multifunction suite, the market is fairly competitive. As a rule, I would certainly put ease of central management ahead of any marginal edge in a particular security component.
Beyond the network perimeter: Alternatives to the desktop security suite
The obvious alternative to a multifunction desktop security suite is to deploy various point products, each of which mitigates a particular type of risk. However, deploying and managing separate applications is complex and can prove inadequate if each is operated in isolation. Many enterprise network administrators feel they have too many applications to manage already. They all require staff to understand and maintain them, as well as time to analyze the data they produce. An integrated suite has a big advantage here: Information can be pooled to create more informative reports, while centralized administration allows policy rules and parameters to be set in one go, a far easier task than trying to enforce each policy across several different devices.
However, a multifunction desktop security suite may be overkill and overly costly if you don't need all the extras. A few well-chosen security applications may be cheaper, particularly as there are some good open-source point products around. Also, some popular applications, such as instant messaging, are far better secured using a dedicated service, as IM is difficult to control using conventional security methods.
Deperimeterization and desktop security strategy
A more radical approach to network security, and therefore desktop security, comes from the increasingly popular opinion that the traditional secure perimeter and trusted network is becoming unsustainable due to the growing number of unknown users in the form of partners, competitors, contract staff and third parties.
Deperimeterization, a term coined by Paul Simmonds of the Jericho Forum, advocates that the only reliable security strategy is to protect the information itself and make every component independently secure, rather than try to secure the network and the rest of the IT infrastructure. Under this paradigm, if a user's desktop is deemed to be insecure, access to data is then denied using network access control (NAC) technology.
For companies using either a suite or point-product approach, NAC can be used as an added layer of defense, ensuring that desktops are suitably secure and up-to-date. Importantly, it can be used to check the health of devices connecting to the network that are outside of the organization's immediate authority, such as contractors or third-party suppliers.
Check Point Technologies Ltd., Cisco Systems Inc. and Microsoft are among the vendors providing support for network access control technology that aims to secure desktops in this way. NAC can be used to effectively enforce security policies enterprise-wide and provide endpoint management of security. Even if the network perimeter doesn't disappear completely, it is certainly becoming less defined. A perimeter-less approach shifts some of the security responsibility to users of the network. Although, in my opinion, deperimeterization defenses require a mature user base, the attraction of this technique is that it costs a lot less than trying to provide security from the top down.
When deciding on the best strategy for desktop security, the three main goals are faster, better and cheaper:
- Infrastructure impact: How will it affect administration workloads and end-user productivity?
- Requirements: Can it deliver what your security policy requires?
- Effectiveness: Does it deliver real and measurable security benefits?
For small to mid-sized organizations, my current preference is for a desktop security suite with a good central management console. A large number of desktops can be protected this way without undue cost or loss of productivity. For large enterprises, or those that have a mobile workforce, deperimeterization may be an option worth considering. Using NAC to enforce a specified level of security on devices connecting to the network shifts some of the security burden from the administrator to the device user, a welcome move when thousands of users are involved. For organizations that make use of communication channels, such as Skype or instant messaging, deploying point products to handle specific needs will probably offer a more comprehensive level of security.
About the author: Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.