Buyers' Guide
Keep security on a tight rein
Published: 15 Aug 2008, 04:13pm
Data security is one of the cornerstones of the IT department. But as security threats evolve, IT managers have a tricky balance to strike - secure the client devices without impairing productivity.
All IT systems share the fundamental need to be secure because data is essential to businesses and must be protected from loss or damage.
But the strategy and technology required to secure business data have evolved, along with the IT systems that hold that data and the nature of the threats themselves.
The move to distribute intelligence in desktops and laptops has the potential to distribute and increase vulnerabilities. Data that is on the move between devices and stored in mobile devices is at risk.
The challenge for the IT manager is to secure those client devices, without removing the productivity benefits they bring. A large part of the answer is in managing laptops and desktops effectively.
"A proactive approach to security is always best," says Stuart Dommett, enterprise client manager at Intel. For example, it is crucial to apply security patches swiftly, to avoid the zero-day attacks where hackers exploit the window of time when a software flaw has been revealed, and not everyone has applied the patch.
Patch management
"You need to increase the speed of patch penetration and reduce the time to patch saturation," he says. The only way to do this is with automated systems but these systems need a way to access the PCs remotely - including switching them on if they have been shut down.
"If you can get to PCs that are not switched on, you know you can tick that box quicker," says Dommett. "You have reduced your risk."
Intel's vPro technology can patch machines that are switched off because it has an out-of-band management agent permanently installed, ready to be activated when required.
Consultancy Capgemini turned to vPro to reduce the effort it had to expend distributing software patches - a job made more complex because mobility is part of the company's business model.
Ninety per cent of its staff are road warriors who connect to the office over a virtual private network (VPN). Even an out-of-band agent can't allow delivery of a patch when the machine is not on the network - but it will help minimise the delay before patches are installed.
Microsoft's automated patching works well but Capgemini had to deliver patches to its non-Microsoft software on a DVD, distributed once a year. Not only was this too slow, it was also too uncontrolled. "There is no way to check the DVD arrived or was installed correctly," says a white paper from the company.
Capgemini is evaluating Centrino laptops with vPro at its outsourcing division in India and in its office in the Netherlands, where the technology will be used with Microsoft System Center Configuration Manager.
As well as easing patch management, an agent has roles in other security jobs. It can be used to monitor a machine's behaviour and spot when it is being misused. It can also be used to shut down a laptop that has been stolen.
As well as dealing with threats in real-time, it can also log data, which can be used to audit and check when trouble is suspected.
In recent years, these abilities have become more than an insurance policy against rare risks - they have become a fundamental requirement of doing business. The reason is the increase in regulations such as the US Sarbanes Oxley act and requirements such as retail industry's PCI specifications.
These regulations demand a level of security, control and reporting that can only be provided by a remote management scheme.
"Keeping that agent up is critical," says Dommett. "You can have antivirus on a PC, but if the end-users switch it off, you will know about it."
System defence
Intel's hardware-based Active Management Technology (AMT) also offers something called System Defense, Dommett continues. System Defense can lock down network flows on a PC according to policies set by IT staff at the network management console or developed with an intrusion detection system (IDS).
"If you are on the network infrastructure, and System Defense sees something like a virus, it can shut down that port," he explains. AMT detects attacks more quickly than a software-based agent, he says.
There's a bigger benefit, though. Because AMT runs out-of-band, it's possible for System Defense to shut down activity and still allow the IT staff in, remotely, to repair the infected systems.
If your IDS doesn't have out-of-band agents to use, then IT staff can struggle to keep up: once blocked from the network, the PC is isolated and can't be repaired without a visit. If a virus attack reaches a significant number of PCs, then it will effectively slow the company's productivity while the PCs are fixed.
Not just for the big players
These features can sound daunting for smaller companies without a dedicated IT department but they are easily accessible to all. vPro's AMT remote management technology can be used in two security modes: enterprise mode makes use of corporate directories such as Microsoft Active Directory, and Kerberos encryption.
For companies without their own corporate directory structure, AMT's smaller business mode just uses username and password security.
If that level of security isn't enough for a smaller business, they can use AMT in enterprise mode by taking a managed service from a provider that will manage their PCs on their behalf.
Any business can - and should - get the security benefits of fully managed desktops.
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
