Tech Talk 1 by David Ferre
Novell ZENworks Endpoint Security Management – Balancing the Needs of Mobile Security and Agility
The deployment of more laptops than desktops has been a rising trend at most organizations for a number of years. The primary driver for this trend is that mobility tends to increase end-user productivity. In spite of this increased productivity, the mobility of users creates significant security hardships for most organizations. Since users need access to their data while they’re on the move, they end up either copying the data to their local laptop drives or they access their data over network connections that are not managed by the organization. As a result, their tends to be a polar relationship between security and the increase in productivity that mobility provides. The further your data moves from the protective boundaries of your physical operations, the more you increase the level of risk associated with protecting that data and preserving system health.
Fortunately, ZENworks Endpoint Security Management delivers the data, access and device protection that laptops need no matter where they go. The solution provides the necessary security defenses, safeguards and controls you need to neutralize the polar affect of giving users the agility they need to be productive while on the move.
Mobile Data Protection
There are a number of vital questions that if organizations leave unanswered in terms of mobile data protection, they open themselves up to serious profitability, credibility and liability consequences. (See Threat Assessment) In terms of mobile data protection, a few of these questions include the following. Do your users ever store on their laptops or remotely access sensitive data, such as intellectual property or customer data? Can users attach and access removable storage devices on their laptops, such as thumb drives, CD burners or iPods? If a laptop or removable storage device is lost or stolen, can its sensitive data be compromised? These are just a few questions you need to answer to ensure the security of the data on your mobile devices.
Thumbsucking, podslurping, or a lost or stolen laptop can result in loss or theft of data with potential costs in the millions from regulatory fines, lawsuits and/or loss of business. To address these concerns, ZENworks Endpoint Security Management provides a variety of protections, including fixed disk encryption, removable storage encryption and storage device controls.
Using AES 256 bit file based encryption to protect data on lost or stolen laptops, the solution allows you to define, by policy, safe harbor locations on your users’ laptops where they can store any sensitive data that should be encrypted. (See Figure 1.) If desired, you can specify the entire contents of the user’s My Documents folder be encrypted as well.
To protect against data theft from thumbsucking, podslurping or other similar hacks, you can dictate, by policy, that data on any removable storage device attached to a user’s computer be encrypted as well. While the encrypted data would be unusable to data thieves, your users and their co-workers would be able to share and read the encrypted data on these removable devices from any computer that has the same policy as the computer that originally encrypted it. By policy you can also allow a sharing folder to be activated on the removable storage device that would allow users to share files with others outside their policy group (including third parties) through the use of an access password, while maintaining the same level of encryption.
In terms of other storage device controls to protect your data, Novell ZENworks Endpoint Security Management allows you to define a variety of enforced behaviors for removable devices that attach to your endpoints, including the following: (See Figure 2.)
- Allow all access, disable all access or allow read-only access
- White list approved devices by the unique serial number of the device and by manufacturer and model for USB devices
- White list device and encryption interoperability
- Export files written to and accessed from storage devices
- Controls for disabling AutoPlay and AutoRun
Subscribe to Connection Magazine
Mobile Access Protection
The need for mobile access protection really comes into focus when you look at how your users gain network access when they’re outside of the office. When mobile workers use open networks, such as hot spots, hotels, airports, coffee shops or other locations, you have no way of knowing the level of security that exists on these networks. Furthermore, will your users be able to tell if others can insert themselves into their communications? If data is transmitted in the clear, your mobile devices can be subject to eavesdropping or man-in-the-middle attacks. To ensure that transmitted data cannot be accessed even if communications are captured or observed, you can configure your policies in ZENworks Endpoint Security Management to require your mobile devices to use a VPN solution that encrypts all communications that take place outside the boundaries of your network. (See Figure 3.)
There is also a need for access protection of your mobile devices within your corporate network as well. With WiFi now a standard feature on laptops, measures need to be taken to ensure users don’t open backdoors into their machines or your network infrastructure by connecting knowingly or unknowingly to other wireless networks within proximity of your location. Other wireless potential threats to your infrastructure can be caused by accidental associations, evil twins and bridges into private networks. To protect against these wireless risks, ZENworks Endpoint Security Management gives you the ability to enforce, by policy,a variety of wireless controls, including the following: (See Figure 4.)
- Disable wireless access when a wired connection is present
- Disable all wireless radios, including devices not owned by the organization
- Disable ad hoc peer-to-peer wireless networks
- Disable adapter bridging
- White list or black list SSIDs and access points
- Enforce a minimum security level for access point usage, such as WEP64 or above
- Control additional communications via Bluetooth, Infrared (IrDA), 1394 (Firewire), serial/parallel ports, modems and wired Ethernet