systems management and security
are one and the same
Executive: So, given our limited resources . . .
Systems Administrator (with a world-weary sigh): Yeah, the budget . . .
Executive: . . . and given that we've
Systems Administrator: We've almost selected the vendor . . .
Executive: In your opinion what should we concentrate on right now, systems management or security?
Systems Administrator (after a long, long pause): We-ell. If I can't get direct oversight of every laptop or PDA out there, I'd sleep better knowing they at least have some antivirus software installed.
Executive: OK. Makes sense.
Unfortunately for the systems administrator's sleep, the budget, and the company itself, sense doesn't always lead to sensational results. This article will explain why the systems administrator's logical decision may prove to be disastrous; and why systems security and management cannot be thought of -- and should not be implemented -- as separate functions on the front lines of the enterprise.
A dangerous environmentThe systems administrator in the above scenario understands that devices used on the enterprise front lines (mobile smart phones, PDAs and laptops, as well as point-of-service PCs at remote branches or retail sites) are extra-vulnerable to mishaps, misuse and malicious infiltration. For one thing, frontline devices are beyond the physical reach of the technicians who keep PCs on the traditional LAN ship-shape. For another, frontline users themselves are furiously on the go, which means they resist and resent troubleshooting sessions that last longer than a second or two. And to top it off, they aren't eager to spend time managing their own systems, or even typing in a password, when they have a customer to serve or a sale to make.
Frontline devices are also more vulnerable for the simple reason that they are outside the corporate firewall, and they're often used for both personal and business activities. They connect to more non-business web sites and exchange email with a wider variety of people. Small mobile devices are particularly at risk, simply because they can be easily left on a plane or stolen from a purse or glove compartment. If loss of the physical device were the only issue, it would be simply one of cost. But the truly scary part of the equation is the sensitive corporate data residing on these small devices, including client lists, product plans, sales figures and development calendars. Mobile and remote devices also connect freely with corporate systems, providing a path for hackers to enter the network, or for electronic pathogens to spread.
For all these reasons, it's easy to understand why the systems administrator in the scenario described above chooses security over management. Much better, he reasons, to get antiviral software installed as soon as possible, whether or not the devices will be managed efficiently. The choice, however, is a false one.
A false dichotomyThe truth is that management and security functions are so interdependent, that it's impossible to keep frontline devices truly safe without incorporating both functions from the first moment they're rolled out to the field. For example, let's assume the scenario described above results in antivirus software being installed on 1,500 mobile devices. A month later, who's to say whether this software is still correctly configured? Three months later, when the software needs a patch to resist a dangerous new worm, how fast can it be distributed? Once the patch has been shipped to the field, who knows whether users have installed it correctly -- or have done so at all? Security without good centralized management is simply a mirage.
Given this reality, many enterprises are coming to understand that security and management really can't be considered separate functions -- that they are indeed one and the same. No security solution is truly secure unless it is combined with comprehensive management capabilities, and vice versa. If an enterprise is to secure its critical frontline devices, as well as the corporate network to which they connect, it must be able to:
None of these abilities can be described as "security" functions per sé, yet all of them are required if frontline systems are to be secure. The converse is also the case: centralized management functions must be performed securely, or they may open the door to malicious intrusion or damaging code. Indeed, if appropriate security measures aren't taken, it's impossible to safely:
In short, security cannot be assured if frontline devices are invisible and unreachable; and systems management shouldn't be performed without sturdy security safeguards in place. In addition, neither management nor security tasks should require devices to be shipped back to headquarters, or technicians to visit remote sites. To avoid these serious blows to productivity, all such tasks should be performed electronically, from a central location.
What to look forThe answer, then, is to implement a centralized frontline solution that includes both management and security functions. This kind of solution should 1) provide a central console for managing all frontline devices (point-of-service PCs, smart phones, PDAs and laptops) and their applications; 2) free users from performing management and security tasks; 3) take into account that the frontline environment is far different from a local area network; 4) be equipped to deal with worst-case scenarios.
Like the narrator in Dr. Seuss's book I Can Read with my Eyes Shut -- who finally admits he does read a little better when his eyes are open -- systems administrators find that, when it comes to keeping frontline devices safe, it helps when you can see what's going on. Especially when you can see it on a single, centralized console. By making frontline devices visible and accessible, a comprehensive frontline management solution makes them far safer from attack and misuse. Administrators can track which security software (as well as enterprise software) is installed on each device, whether it is properly configured, and how it is being used. They can also manage multiple security tools using a single interface, and keep an eye on how they are functioning. Organizations should look for a solution that can integrate with enterprise directories, such as Active Directory and other LDAP-based directories.
A unified frontline management solution shifts responsibility for device security from the users to the IT department. This is a huge relief to busy frontline workers, who would rather focus on customers than their computing devices. And it's a giant step towards better security for the enterprise, since leaving security up to users is like leaving jet engine maintenance up to pilots: not a good idea. A robust frontline management solution can be used to distribute and install patches and antivirus software; enforce configuration standards for firewall software; require that password protection and encryption functions remain turned on; ensure that connection protocols are secure; and automate all vital management tasks, including system backups.
A good management solution for the front lines should be optimized for an environment in which bandwidth is at a premium, connection speeds are slow and (in the case of mobile devices) data transmissions are frequently interrupted. Assuming that a patch management application that works on the corporate LAN can be transposed into the field is a recipe for failure. A good frontline management solution compensates for the limited bandwidth, low-speed connections typical of the front line in several ways: by throttling back patch or application downloads when they would otherwise interfere with user activities; by allowing data transfers to be automated during off-hours; by using byte-level differencing to ensure that only changed portions of a file are sent during updates. The ability to restart downloads at the point of interruption is also a must for networks that include wireless mobile devices. Again, while these are not "security" functions, they keep frontline devices safe by making it easy to distribute patches and to keep security applications and protocols up to date.
Security is about imagining the worst that can happen, then preventing it. However, when prevention fails -- such as when a laptop is stolen from an airplane luggage bin or a handheld disappears during a walk in the park -- a good frontline management solution offers last-ditch failsafes. For instance, it should be able to detect if an unauthorized user attempts to connect with the corporate server. It should allow the system administrator to remotely lock down a missing device. It should provide a way for sensitive data on a device to "self-destruct" when pre-defined criteria are met.
Choosing integrationWith well-known dangers lurking on the front lines, companies are installing power-on password software, personal firewalls, antivirus applications, antispyware and encryption software on mobile and remote devices. In their haste to protect these vulnerable systems, however, they should not forget that installation is only the beginning. How will the applications be managed? Who will install, configure, and upgrade them -- busy, nontechnical users? How will the devices themselves be tracked, safeguarded and maintained?
Because security functions must be well managed in order to be secure, organizations should consider implementing a solution, which combines management and security features tailored for the frontline environment. This kind of integrated solution ensures that frontline devices remain just as secure as their LAN counterparts -- and not just until the next patch needs to be installed on 1,500 wandering devices.
About the author: Shari Freeman is the director of product strategy for the XcelleNet products group of iAnywhere Solution.
About iAnywhere: iAnywhere is the worldwide market leader in mobile and embedded databases, mobile middleware and mobile and remote device management. More than 15,000 customers and 1,000 partners rely on the company's award-winning enterprise products, including SQL Anywhere(r) Studio and XcelleNet frontline solutions. In addition, its AvantGo(r) mobile Internet service has more than ten million registered subscribers. iAnywhere is a subsidiary of Sybase, Inc. (NYSE: SY). Visit www.ianywhere.com for more information.
This was first published in October 2004