- Security TWENTY
- Women in Security
Digital usage policies and the ‘new’ desktop are the issues for Mark Austin, CTO of Avecto, pictured. Written policies aren’t worth the paper they are written on, he writes.
The PC desktop is changing, so fast that what used to confidently be called the ‘desktop’ is undergoing the sort of rapid evolution bound to throw up new and unfamiliar security challenges.
Technological developments such as smartphones, tablets and mobile operating systems can be wheeled out to partly explain this change. However, it is to the humble user rather than computer architectures of network topologies we must pay the closest attention if we are to understand how the business desktop will be reshaped from the ground up over the next decade.
Put simply, employees are downloading and accessing a host of ‘grey’ mini-applications, services and browser plug-ins on a sometimes industrial scale to run in parallel to traditional software licensed or developed to do the everyday work of a business. As well as introducing a high degree of uncertainty and risk, this turns the established model of software deployment on its head. Where once, IT staff decided what ran, now employees have been handed the discretion to run what they fancy.
Organisations might want to ban alien applications and social media plug-ins but they are also aware that some of these services and applications are part of longer-term industry changes that can also generate new possibilities for a business. Can a way be found to reconcile the two world views?
Most organisations have a written computer usage policy to define authorised behaviour, which in specific instances will be enforced with an extra layer of technology to control which applications can run on a PC or open a port through the firewall. That offers certainty but is a blunt instrument that fails to address a range of underlying issues.
What happens if users misunderstand, forget or ignore the policy or are simply socially engineered into installing risky applications?
Can organisations any longer rely on mere usage policies to form a reliable part of their compliance stance?
In any event, can applications be efficiently managed if IT staff lack reliable tools to perform simple discovery and control on a continuous basis?
One powerful and flexible tool with which to impose order on the chaos is a privilege management system such as Avecto’s Privilege Guard. Technically, privilege management is a way of controlling applications that demand admin rights under Windows to function, a legacy programming model that presents obvious security risks.
Using such a system in a least privilege setting offers a way of blocking harmful applications (which often ask for admin rights to gain control of a target) while allowing ‘standard’ users to elevate these privileges according to pre-defined policies.
But it doesn’t stop there. Privilege management systems also come with a discovery and auditing function that admin staff use to assess the type of applications and rights used on a network over time; this provides a neat starting point from which to create a digital usage policy to replace the written protocols.
Once armed with a comprehensive picture of which applications are being used and under what conditions, the next stage is to divide applications into categories according to risk or their use to the business.
Leaving aside the hopefully small number of dangerous applications, there is no simple answer as to which applications and services run and which don’t. Suffice to say, this is a grey area which demands that IT teams consult staff. Imposing a digital usage policy from ‘on high’ is bad management.
A particularly difficult example is that of social media applications. For staff in one department these might offer no concerns to the business while in another one down the hall data security issues would make unguarded use unthinkable.
Another example are consumer cloud storage services such as Dropbox, which have risen to prominence for the way they allow users to cope with data files across multiple types of ‘desktop’, i.e. PC, smartphone, tablet, and even home computer without resorting to insecure flash drives. Many businesses without private clouds are keen to access such services but worry about the risk to data accessible from multiple systems using uncertain authentication, remotely-managed encryption with no auditable compliance to speak of. Assessing where the limits lie with such services can be complex.
Adopting privilege management concepts will not necessarily offer a complete solution thanks to a growing band of apps – Windows 8 ‘Metro’ apps for one – that install without asking for elevated rights. Granted, Microsoft’s design improves on the mistake of creating applications that require privileges and end up being funnelled inefficiently through Windows User Account Control (UAC), but leaves hanging the question of whether even standard user apps should be allowed in the first place.
The challenge of Windows 8 apps is that the number of possibilities rises from the few dozen usual suspects found in today’s desktop environment to, potentially, thousands or even tens of thousands.
An answer could be application whitelisting (allowing a pre-defined group of applications), or its twin, blacklisting (disallowing specific applications). As far as Windows 8 is concerned, Microsoft provides tools to manage Windows Store apps through AppLocker Group Policy but privilege management systems will do the same job in a way that integrates with broader application management requirements. Because it is impossible to authorise each and every app dynamically, the best way to proceed is to define a family of acceptable apps using whitelisting, updating this policy as regularly as practical.
The example of Windows 8 apps underlines the importance not simply of auditing the applications being used but of doing the same for the policy itself. Digital policies should never become fixed in stone; a good policy is always as recent as possible.
The conclusion from all of this is that the ‘new desktop’ is dynamic, fast-evolving and defined as much by what users do, not simply what IT vendors deem to be useful. The user is now in control of the organisation’s destiny and IT teams need to adapt. That’s a huge change that asks not only for a new mind-set but the tools to make such a world possible. What admins can’t do is cling on to the past and its fading certainties.