Automated Policies Pull Tech Assets, Business Together

THE USER MORASS
At the other end of the spectrum, establishing enforceable policy on Windows desktops across an enterprise is a daunting task. Policies should include a required security checklist for configuring user systems as well as direction concerning application usage, passwords, and Web content accessibility. It should be tight enough to keep malware off systems, yet not so strict that users are prevented from doing their jobs. Because many policies are designed to prevent users from making modifications, a poorly planned set of guidelines can be difficult to adapt as the needs of the user or business change. Top 11 Questions To Ask
PBSM Vendors 1. What environment do you focus on: desktops, application servers, network devices, or mobile handsets? 2. What types of platforms/operating systems are supported? 3. What policies and default rules are included? 4. Can I edit policies? If I edit them, am I still supported? 5. How effectively can I deploy the product in a complex, mixed legacy environment? 6. Are agents required? If so, how are agents deployed, configured, and managed? What kind of load will they place on my systems, and can I get that in writing? 7. If you offer desktop policy management, do you use the existing Windows policy infrastructure or deploy a new layer of technology to enforce policies? 8. What type of central console is available to manage and change my policies? 9. As my organization changes and new policies need to be developed, how easy is it to deploy them into my environment? 10. Can I enforce, audit, and report on my policies? 11. How does your product document policies? Secure Elements' C5 is focused on security configurations for Microsoft Windows operating systems, using proprietary agents on each host machine. It works to identify security vulnerabilities and compliance gaps, then resolve the issues. C5 is unique in being able to overlay policy-based management on an existing set of user systems, in contrast to many other user management products that are really effective only at the point of OS migration and have a hard time showing ROI in a legacy environment.

If you're moving to Vista, look at products like ScriptLogic's Desktop Authority. ScriptLogic's approach can apply policies even down to USB and other removable storage devices. Although it requires an agent, ScriptLogic doesn't use Windows group policies, which have limitations in terms of deploying and managing flexible policies. With ScriptLogic, software can roam with users, allowing enforcement based on role rather than physical hardware.

Another common challenge is dealing with password policies, helping users with password resets, and working with groups and users requiring different levels of security--a one-size-fits-all Windows password policy is often too limiting. Special Operations Software facilitates creation of password policies for different groups of users without rearchitecting your Windows domain and Active Directory structure. Special Operations actively helps users select passwords that meet corporate policy for their groups. Through a .dll installation on the client, and using the existing group policy infrastructure, deployment complexity is kept to a minimum.

Keeping an eye on employee desktops is a touchy subject--no one wants to be the blog police, but sites that distribute objectionable content must be blocked. Products such as Websense and Zihtec Internet Control for Business provide customizable content filtering and can allow IT to enforce granular policies--for example, defining hours when Internet shopping sites can be visited or blocking them altogether. Zihtec can also restrict content that can be sent over the Net and limit foul language. Websense allows IT policy managers to set options for managing Web access and even filter sites based on time of day.

However, setting user policy can be anything but straightforward. Overly restrictive policies may have unintended negative consequences. A survey by the University of Maryland found that employees with Web access at both the office and at home spend an average of 3.7 hours per week engaged in personal online activities while on the job. However, they spend more time, an average of 5.9 hours per week, using the Internet at home for business-related purposes. Allowing Internet access actually resulted in more time spent working, which illustrates how complex implementing a desktop control policy can be. It's a good reminder that an employee sits behind every desktop, and policy management ultimately comes down to people.

TIME TO AUTOMATE
For policy management to be truly effective, automation is required. The complexity of complying with multiple laws, regulations, and best-practice guidelines, combined with the fast pace of vulnerabilities, make manual policy management a losing proposition for companies of any size.

This article, the third in a four-part series, is just one element of a special CMP Technology multimedia package on business innovation. For links to related stories from InformationWeek and additional editorial content, go to businessinnovation.cmp.com.

Aside from audits and meeting best-practice guidelines, policy management can provide other benefits to your organization. Controlling user devices can reduce downtime and complaints related to poor performance. Attacks from malware and viruses can be radically reduced or eliminated by ensuring that the right security software is installed and up to date. A solid configuration management system, required for policy management, also can reduce costs and optimize your technology investment.

Some products are starting to make sense of the chaos, and we'll be watching the vendor landscape to find one that can do it all.

Michael Biddick is a contributing editor for InformationWeek andNetwork Computing and executive VP of solutions at Windward Consulting Group, a firm that helps organizations improve IT operational efficiency. Write to him at [email protected].

Imaging by Sek Leung