Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The choice is clear: Choose both

It's impossible to keep front line devices safe without both management and security functions from the moment they are rolled out to the field. But that's just the beginning...

On the front lines of the enterprise,
systems management and security
are one and the same

Shari Freeman
As the trend to decentralize computing continues, more and more critical business functions are performed by sales reps on the road, night stockers in the warehouse, and cashiers at the cash register. These are the people on the "front lines" of the enterprise, the ones who have direct contact with customers and products. By empowering them with the latest technology tools, companies can improve customer service and gain a competitive advantage. However, this new paradigm also introduces serious concerns about how to pay for, secure and manage proliferating frontline computing devices. At this very moment, the following scenario is playing out in conference rooms around the world:

Executive: So, given our limited resources . . .

Systems Administrator (with a world-weary sigh): Yeah, the budget . . .

Executive: . . . and given that we've got 1,500 folks in the field who need upgraded mobile devices . . .

Systems Administrator: We've almost selected the vendor . . .

Executive: In your opinion what should we concentrate on right now, systems management or security?

Systems Administrator (after a long, long pause): We-ell. If I can't get direct oversight of every laptop or PDA out there, I'd sleep better knowing they at least have some antivirus software installed.

Executive: OK. Makes sense.

Unfortunately for the systems administrator's sleep, the budget, and the company itself, sense doesn't always lead to sensational results. This article will explain why the systems administrator's logical decision may prove to be disastrous; and why systems security and management cannot be thought of -- and should not be implemented -- as separate functions on the front lines of the enterprise.

A dangerous environment

Frontline devices are also more vulnerable for the simple reason that they are outside the corporate firewall, and they're often used for both personal and business activities. They connect to more non-business web sites and exchange email with a wider variety of people. Small mobile devices are particularly at risk, simply because they can be easily left on a plane or stolen from a purse or glove compartment. If loss of the physical device were the only issue, it would be simply one of cost. But the truly scary part of the equation is the sensitive corporate data residing on these small devices, including client lists, product plans, sales figures and development calendars. Mobile and remote devices also connect freely with corporate systems, providing a path for hackers to enter the network, or for electronic pathogens to spread.

For all these reasons, it's easy to understand why the systems administrator in the scenario described above chooses security over management. Much better, he reasons, to get antiviral software installed as soon as possible, whether or not the devices will be managed efficiently. The choice, however, is a false one.

The systems administrator in the above scenario understands that devices used on the enterprise front lines (mobile smart phones, PDAs and laptops, as well as point-of-service PCs at remote branches or retail sites) are extra-vulnerable to mishaps, misuse and malicious infiltration. For one thing, frontline devices are beyond the physical reach of the technicians who keep PCs on the traditional LAN ship-shape. For another, frontline users themselves are furiously on the go, which means they resist and resent troubleshooting sessions that last longer than a second or two. And to top it off, they aren't eager to spend time managing their own systems, or even typing in a password, when they have a customer to serve or a sale to make.

A false dichotomy

Given this reality, many enterprises are coming to understand that security and management really can't be considered separate functions -- that they are indeed one and the same. No security solution is truly secure unless it is combined with comprehensive management capabilities, and vice versa. If an enterprise is to secure its critical frontline devices, as well as the corporate network to which they connect, it must be able to:

  • Verify the current state of every device, including its operating system and all installed software;
  • Electronically distribute and install software patches, then verify that the process was successful on each and every device;
  • Distribute and install antivirus updates, enforce standard antivirus software configuration parameters, and retrieve local client antivirus logs;
  • Deploy updates to personal firewall software in the same manner, and enforce proper configuration settings;
  • Set and enforce configuration settings for Windows, including the Windows firewall;
  • Deploy and enforce predetermined security policies as they apply to remote and mobile devices.

    None of these abilities can be described as "security" functions per sé, yet all of them are required if frontline systems are to be secure. The converse is also the case: centralized management functions must be performed securely, or they may open the door to malicious intrusion or damaging code. Indeed, if appropriate security measures aren't taken, it's impossible to safely:

  • Transmit software updates and perform management functions over public networks;
  • Install software on frontline devices;
  • Configure firewall and antivirus software.

    In short, security cannot be assured if frontline devices are invisible and unreachable; and systems management shouldn't be performed without sturdy security safeguards in place. In addition, neither management nor security tasks should require devices to be shipped back to headquarters, or technicians to visit remote sites. To avoid these serious blows to productivity, all such tasks should be performed electronically, from a central location.

    What to look for

    The answer, then, is to implement a centralized frontline solution that includes both management and security functions. This kind of solution should 1) provide a central console for managing all frontline devices (point-of-service PCs, smart phones, PDAs and laptops) and their applications; 2) free users from performing management and security tasks; 3) take into account that the frontline environment is far different from a local area network; 4) be equipped to deal with worst-case scenarios.

    Super-visible devices
    Like the narrator in Dr. Seuss's book I Can Read with my Eyes Shut -- who finally admits he does read a little better when his eyes are open -- systems administrators find that, when it comes to keeping frontline devices safe, it helps when you can see what's going on. Especially when you can see it on a single, centralized console. By making frontline devices visible and accessible, a comprehensive frontline management solution makes them far safer from attack and misuse. Administrators can track which security software (as well as enterprise software) is installed on each device, whether it is properly configured, and how it is being used. They can also manage multiple security tools using a single interface, and keep an eye on how they are functioning. Organizations should look for a solution that can integrate with enterprise directories, such as Active Directory and other LDAP-based directories.

    Liberated users
    A unified frontline management solution shifts responsibility for device security from the users to the IT department. This is a huge relief to busy frontline workers, who would rather focus on customers than their computing devices. And it's a giant step towards better security for the enterprise, since leaving security up to users is like leaving jet engine maintenance up to pilots: not a good idea. A robust frontline management solution can be used to distribute and install patches and antivirus software; enforce configuration standards for firewall software; require that password protection and encryption functions remain turned on; ensure that connection protocols are secure; and automate all vital management tasks, including system backups.

    Sensitivity-trained connections
    A good management solution for the front lines should be optimized for an environment in which bandwidth is at a premium, connection speeds are slow and (in the case of mobile devices) data transmissions are frequently interrupted. Assuming that a patch management application that works on the corporate LAN can be transposed into the field is a recipe for failure. A good frontline management solution compensates for the limited bandwidth, low-speed connections typical of the front line in several ways: by throttling back patch or application downloads when they would otherwise interfere with user activities; by allowing data transfers to be automated during off-hours; by using byte-level differencing to ensure that only changed portions of a file are sent during updates. The ability to restart downloads at the point of interruption is also a must for networks that include wireless mobile devices. Again, while these are not "security" functions, they keep frontline devices safe by making it easy to distribute patches and to keep security applications and protocols up to date.

    Pessimist-developed failsafes
    Security is about imagining the worst that can happen, then preventing it. However, when prevention fails -- such as when a laptop is stolen from an airplane luggage bin or a handheld disappears during a walk in the park -- a good frontline management solution offers last-ditch failsafes. For instance, it should be able to detect if an unauthorized user attempts to connect with the corporate server. It should allow the system administrator to remotely lock down a missing device. It should provide a way for sensitive data on a device to "self-destruct" when pre-defined criteria are met.

    Choosing integration

    With well-known dangers lurking on the front lines, companies are installing power-on password software, personal firewalls, antivirus applications, antispyware and encryption software on mobile and remote devices. In their haste to protect these vulnerable systems, however, they should not forget that installation is only the beginning. How will the applications be managed? Who will install, configure, and upgrade them -- busy, nontechnical users? How will the devices themselves be tracked, safeguarded and maintained?

    Because security functions must be well managed in order to be secure, organizations should consider implementing a solution, which combines management and security features tailored for the frontline environment. This kind of integrated solution ensures that frontline devices remain just as secure as their LAN counterparts -- and not just until the next patch needs to be installed on 1,500 wandering devices.

    About the author: Shari Freeman is the director of product strategy for the XcelleNet products group of iAnywhere Solution.

    About iAnywhere: iAnywhere is the worldwide market leader in mobile and embedded databases, mobile middleware and mobile and remote device management. More than 15,000 customers and 1,000 partners rely on the company's award-winning enterprise products, including SQL Anywhere(r) Studio and XcelleNet frontline solutions. In addition, its AvantGo(r) mobile Internet service has more than ten million registered subscribers. iAnywhere is a subsidiary of Sybase, Inc. (NYSE: SY). Visit www.ianywhere.com for more information.

  • The truth is that management and security functions are so interdependent, that it's impossible to keep frontline devices truly safe without incorporating both functions from the first moment they're rolled out to the field. For example, let's assume the scenario described above results in antivirus software being installed on 1,500 mobile devices. A month later, who's to say whether this software is still correctly configured? Three months later, when the software needs a patch to resist a dangerous new worm, how fast can it be distributed? Once the patch has been shipped to the field, who knows whether users have installed it correctly -- or have done so at all? Security without good centralized management is simply a mirage.
    This was last published in October 2004

    Dig Deeper on Network Security Monitoring and Analysis

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.