Tech Talk 3 By David Ferre
Striking the Right Balance So that All Your Endpoints Are Secure
USB storage devices have become as commonplace as car keys. In fact, many of you reading this article likely have a thumb drive hanging on your key ring. Of course, it doesn’t stop there; MP3 players, PDAs, DVD/CD burners, mobile phones and digital cameras all provide digital storage that makes life easier and more enjoyable for the masses while at the same time creating a security nightmare for organizations.
Businesses lose billions of dollars a year as a result of data theft, data loss and the accompanying costs associated with clean up and recovery. A major contributor to this liability is inadequate endpoint protection, especially as it relates to mobile devices and misuse, whether intentional and unintentional, of mobile storage technologies. As an administrator, you face a difficult dilemma: how do you implement the appropriate levels of security and control without impacting the productivity and agility your users need in regard to mobility and removable storage? Too often, endpoint security solutions sacrifice productivity for security, or vice versa.
To help you strike the optimum balance of protecting your organization's digital assets while enabling the agility and mobility of your users, Novell ZENworks Endpoint Security Management differentiates itself in two key areas, namely, implementing and managing protection, and providing multiple levels of protection.
Endpoint Protection Implementation and Management
A key differentiator for ZENworks Endpoint Security Management is that it lets you implement and manage your endpoint security policies based on user identities. The device-based management implementations on which other solutions rely lack the flexibility you need to strike the balance between data security and user agility. For example, you might want to allow certain executives or managers to copy data to thumb drives while prohibiting rank-and-file users from doing so—regardless of what device they’re on.
Because you know your executives deal with sensitive information, you might want to make sure that all data they copy to USB devices is always encrypted. By tying security policies to identity, ZENworks Endpoint Security Management gives you the flexibility to make sure that users have the access they need with the proper controls in place, no matter what endpoint they are logged into.
Also, instead of putting endpoint security decisions in the hands of end users—like some solutions do through pop-ups or local settings—ZENworks Endpoint Security Management gives you and your IT security specialists complete, centralized security management for all the endpoints in your enterprise. You govern security enforcement through the creation of identity-based security policies that get pushed out to every endpoint in your enterprise. By using the solution’s location awareness capabilities, you can have security policies dynamically change depending on what network environment an endpoint currently finds itself connected to, such as the office, home, airport, a WiFi zone or some unknown location. (See Figure 1.)
Even though the solution is centrally managed, all policies are enforced locally, regardless of whether or not the endpoint is connected to the network. The agent has a built-in self defense that prevents users from turning off or circumventing security settings even if they have administrator privileges for their workstations.
Subscribe to Connection Magazine
It also protects itself from being intentionally or unintentionally uninstalled, shut down, disabled or tampered with in any way that would expose sensitive data to unauthorized users.
The inherent flexibility in the solution’s design enables you to implement it in the way that makes the most sense for your organization. If you have the immediate need to comply with strict regulatory requirements, you can roll out the level of enforcement you need on day one. You can also take a more phased approach, perhaps starting out with more lenient policies to ensure they don’t impact your operations, and then leverage the solution’s auditing and reporting capabilities to decide how, where and when you need to modify and tailor policy to meet your organization’s endpoint security strategy.
The following represent the main components that you install when deploying a ZENworks Endpoint Security Management solution:
- Policy Distribution Service distributes security policies to the Endpoint Security Client (agent) and retrieves reporting data from the agent.
- Management Service manages user policy assignment and component authentication, reporting data retrieval, creation and dissemination of reports, and security policy creation and storage.
- Management Console is the graphic interface you use to both configure the Management Service and to create and manage user and group security policies.
- Client Location Assurance Service provides a real-time cryptographic guarantee of the current location of your endpoints by leveraging network environment parameters that you define.
- Endpoint Security Client (Agent) enforces the security on each endpoint where it is installed. A client agent for Windows XP and Windows 2000 enterprise computers is available, as well as one for computers running 32-bit versions of Microsoft Windows Vista with Support Pack 1 and Windows Server 2008.