City's mobile method: Central management, full-disk encryption and no BYOD (yet)
- By William Jackson
- May 17, 2012
Most of the 2,800 network endpoints being managed by the IT department of the city of Fresno, Calif., are not particularly mobile. About 92 percent of them are desktops and only about 8 percent are laptops and tablets.
Still, “with some departments we had a challenge managing and locating devices,” said Paul Pedron, the city’s senior network system specialist. As offices are consolidated and manpower is reduced over the years, IT assets get moved around, including desktops. “Knowing where they are is key.”
Fresno has been using ZENworks from Novell to keep track of devices, as well as using the newly expanding functionality of the device management suite to improve security. Location-based security policies can be applied depending on the type of connection being used, and full-disk encryption has been added to protect data at rest.
“If a device is lost or stolen, we want to be able to at least secure the city’s data,” Pedron said. “Full-disk encryption allows us to fully lock down the device.”
Targeted attacks, mobile vulnerabilities on the rise, report states
Full-disk encryption is an added feature of the latest release of the product, ZENworks 11 support pack 2, along with support for Mac device remote and asset management and patching for OS X.
Fresno has been using ZENworks for years and already has experience with the latest release as a beta tester. “We have graduated through the product with each revision since 2.0,” Pedron said. Each one is tested in beta before being put into production.
Being a beta tester has some costs associated with it. “We dedicate some time to it, some of it after hours,” Pedron said. But in return it helps the city get the functionality it wants in the tools while Novell gets a tool that is ready for production use. “They have been really responsive.”
ZENworks enables management of a variety of endpoint devices from a central console, with the ability to enforce security policy and push configuration requirements. Each policy server can manage about 3,000 devices if all features are being used, said Novell senior product manager Jason Blackett. Satellite servers also can be used in remote offices with limited bandwidth. The satellite server can receive a single instance of a pushed configuration, which then can be sent to local nodes.
Distribution of patches, updates and other configuration changes also can be done through existing file servers. This can effectively distribute within an enterprise, while using the ZENworks server to distribute via HTTP can ease the task of distributing to devices outside the firewall.
Stolen device protection
Full-disk encryption uses 256-bit AES encryption to make all data on a device unavailable if it is lost or stolen. A copy of the encryption key is uploaded to the server for data recovery if the device is recovered. File-based encryption policies also can be managed from the endpoint security manager, which allows policies to be set for access and use of files, along with application white- and blacklisting.
One feature recently added in SP 1 is power management, which enables policies on when devices will power down when not in use. “We had a separate product in place to manage that,” Pedron said. “That’s been a great benefit.”
Fresno uses ZENworks to ensure that proper policies are being applied to remote devices, depending on the type of network connection being used, Pedron said. “The most common one is from home,” he said. This requires a VPN for a secure connection. For connections over unsecured public WiFi, restrictions are placed on what the user is able to access.
What ZENworks does not do at this point is manage mobile devices, such as smart phones. “We’re looking at products to be able to manage these types of devices,” Pedron said, although that will be primarily for future rather than current needs. “We don’t have a lot of them in the city. People want to bring their own devices, but we don’t allow that.”
But it is inevitable that these devices eventually will make their way into the city’s infrastructure, he said. They would be convenient tools for persons working in the field who do not need the full functionality of a laptop or tablet computer. “I believe that is coming up in the future” from ZENworks, he said.
William Jackson is freelance writer and the author of the CyberEye blog.