Security Starts at Deployment

Shortly after an automobile is purchased, laws dictate that insurance measures be taken to secure it. Driving a new car without automobile insurance or regular safety inspections is not only illegal, but poses serious risks to the vehicle and its occupants.

While not illegal, when PCs or servers

are purchased and deployed across an organization without any type of insurance, serious risks are posed to both users and the organization. The best kind of insurance an organization can provide for its network is in the form of security policies and technology. Both should be an intrinsic part of the organization's infrastructure from "cradle to grave." Few would argue against the necessity and value of security for a network. Yet for organizations purchasing PCs or servers regularly and deploying them across geographically disparate locations, the implementation of security measures can be a long, tedious task requiring extensive man-hours. And the more locations an organization has, the more likely there are inconsistencies between those locations.

Two extreme scenarios exist for handling security when dealing with geographically disparate organizations.

In the first scenario, local IT staff is employed at the individual remote locations. In this case, organizations have to deal with cultural differences, varying skill levels and capabilities and language barriers that pose potential misunderstandings.

In the second scenario, there is no local IT staff at the remote locations. In this case, the centralized IT administration has a lot to do to keep all the remote sites up and running. As IT departments are usually overloaded, issues arising at headquarters tend to take priority, and the remote locations often become an "afterthought." IT support suffers - and consequently, IT security suffers.

The reality for most organizations is somewhere between these two extremes. They all share, however, the need for a consistent and centrally controlled security system across the company.

Implementing an effective and centralized "cradle to grave" security policy includes a three phased plan for centralized control and decentralized execution.

Three Phases

Initial Rollout: Deploying operating systems and applications (including security solutions, such as virus protection), re-provisioning systems (i.e. using the same PC for a different purpose). By making security an integral part of the deployment process, you will have secure systems from the start. Adding security to systems management later is like purchasing auto insurance after your first car accident.

Ongoing Security Maintenance: Updating machines with security patches on a continuous basis. If security is already tied in with systems management, this is an easy and integrated process. Not keeping your systems updated would be akin to thinking that because your car passed its safety inspection two years ago, you will never experience car problems again.

Displacement: Permanently erasing all data from the hard drive, so the machine can leave company premises without any third party being able to extract confidential data from it.

"At what size should our organization move to centralized management?

Proper Approach

To answer one question with another, at what point does it make sense to lock your car? Taking a systems management approach to security should not be dependent upon the size or geographical layout of a company. Regardless of these factors, an organization must be able to centrally control security to protect company assets across all locations. Doing so allows the IT administrator to evaluate and optimize the security level on every desktop, laptop or server from a single console, regardless of where the machine is located. The IT administrator can also distribute security updates or patches without needing to rely on an end-user's actions. It is a matter of control and who has it.

A good systems management tool can configure the security for PCs or servers on an individual or group basis. There can be a general security baseline for one group of users, while having distinct and higher security baselines for others within the organization.

There has been a lot of buzz in recent months around patch management. The ability to centrally manage and deploy patches across a network ensures that network security stays up to date. Asking individual employees to be responsible for their own PCs introduces a much greater chance of human error. Since systems management is not the employee's primary job responsibility, the application of critical patches is easily postponed, often neglected, entirely forgotten or performed incorrectly.

Worms like Slammer are unkind teachers to those who have not applied appropriate security updates or downloaded the latest virus definitions. Slammer successfully made its way through many businesses exploiting an unpatched vulnerability in businesses' MS-SQL systems bringing collective corporate networks to their knees.

A good systems management tool will allow the central administration of the software patches to prevent unnecessary exploitation of software holes. There are three very basic steps to patch management - assess the vulnerabilities and identify patches, test the patches and, finally, deploy them.

Evaluating the Costs

To evaluate the worth of a centrally managed security system, one must look at the management and opportunity costs associated with a manual approach. Manual management of security requires either some kind of low-level IT staff at each location or the time of the organization's employees to deploy and maintain a system. The sum total of time that individuals or low-level IT staff must spend deploying their own security software, patches and security updates is growing exponentially with the number of patches that are being released every month and the number of people the organization employs. For many large organizations, a systems management tool has paid for itself after just weeks or months of use.

By using such a tool to centrally manage deployment, you eliminate the need for low-level IT staff at the various locations and free up time for employees who were previously in charge of maintaining their own systems. In addition, automated and tested procedures that a systems management tool offers establishes a consistent level of security and eliminates the need to correct errors. Finally, in the event of a virus threat or an actual attack on the company's IT infrastructure, a systems management tool pays for itself almost immediately; all the servers and PCs across the organization can be patched at once. If there is a damaged system, it can be rebuilt quickly and from a central location.

Simply put, the only secured infrastructure is a managed infrastructure. Combining systems management with security technologies from cradle to grave decreases the chances of a major security breech. It is the insurance a network needs to keep infectionfree in the ever-changing world of technology.

AUTHOR_AFFILIATION

Thom Bailey & Oliver Norkauer

Thom Bailey has more than 9 years of experience mapping customer needs to innovative software solutions. As director of Product Management within Symantec Corp.'s Enterprise Administration Business Unit, Thom's primary responsibility is growing the revenue and establishing the strategic roadmap for the System's Management Division which includes the Symantec Ghost, DeployCenter Library, pcAnywhere, iCommand and iPatch product lines. Thom can be reached at tbailey@symantec.com.

Oliver Norkauer has spent 14 years in the software industry in various technical and management roles. The last eight years, he has been working with ON Technology, where he shaped their flagship products ON Command CCM and ON iCommand. Oliver is now a product manager at Symantec s Enterprise Administration Business Unit He can be reached at Oliver_Norkauer@symantec.com.