Beyond the ‘land of no’: 5 ways to balance user satisfaction and endpoint security
Government agencies are facing the same security challenges as private enterprise, especially when it comes to the desktop. Agencies increasingly find their employees and consultants want to enjoy the flexibility and efficiency of having their user profile follow them, whether they’re logging in at headquarters in D.C., a satellite office in Kansas or at home.
Desktop virtualization creates the expectation among users that their profile will follow them regardless of location. This desire brings with it a number of security concerns because, regardless of workers’ locations or which endpoint device they might use, IT needs to enforce the correct, user-specific security policies and controls. Whether it’s between work and home, or between agency offices, the controls must be in effect. Given the often-sensitive nature of information the government processes, it is imperative that endpoint security levels be correctly administered.
As agencies increasingly move to desktop virtualization to simplify and centralize access to classified and unclassified information, the issue of traveling user profiles and adequate controls is becoming even more critical. However, there are five practical steps agencies can take right now to provide workers access to their personalized desktop yet give agency IT managers the controls they need to deliver a secure data flow.
1. Revisit the control scenario. It may seem counterintuitive, but IT managers should evaluate whether they have gone overboard in exacting controls. What functions require a help desk call to change but pose no risk to the environment? Eliminate these first. Changing time zones or adding a printer for users who travel, for example, should not take up valuable IT time at a help desk. These user-specific tasks do not carry an inherent risk, so administrative time is not needed.
2. Refresh user rights. Once the number of controls has been pared down -- saving IT and help desk time in the process -- examine the policies on user rights management. Too often, with government agencies, it’s an all-or-nothing scenario. To effectively function in the virtual environment, users must be freed from any particular place or device, and IT must have the capability to dole out administrative rights individually. The most effective method limits the opening of unknown or unexamined executables to ensure that only applications with ‘trusted ownership’ can run, and also enforces least-privilege access so users access only what they need.
It is important that this approach be proactive rather than reactive. Implement security controls to prevent the addition of unauthorized applications instead of reactively monitoring endpoints for unauthorized applications and then moving to request removal.
3. Deliver user satisfaction. The objective is balance -- executing policies and user controls to ensure the endpoint is secure, while providing workers a satisfying and consistent user experience. In many agencies, the balance is tipped in favor of the IT department, which errs on the side of caution and locks down the environment for security purposes. Efficiencies such as favorites, auto population, signatures, application customization and custom dictionaries (especially with all of the government acronyms) are examples of the type of personalization users have come to expect. IT must look at this personalization, determine if any are risk-inclined, create appropriate controls as needed and allow non-risk personalization functions to continue. A flexible solution will bring the IT and end user relationships into balance.
4. Enact geolocation controls. How can IT managers control access when employees are moving among locations and even among devices? Fortunately, location awareness technology can supply this capability. By using simple inputs such as IP address or the computer model number and/or MAC address, a dynamic policy can determine whether the user profile should be working in a more restrictive mode -- based on changing location. For example, a doctor inside a hospital can access patient records, but when he logs in at the Starbucks across the street, his patient-record access is prevented. These geolocation controls can be applied to any situation in which sensitive, and/or private customer information exists.
Technology has evolved to the point that IT can add even more granular filters beyond location, such as user groups, machine names and date/time filters, to name a few. But location controls are a good place to start.
5. Enable dynamic rule changes. Sometimes agency or department professionals will need access, on the fly, to data or operational tasks for which they previously did not have clearance. IT needs to have a unambiguous rights-management process in place to evaluate and accommodate these user requests. This process gets even more complex when agencies manage users and teams across multiple networks, with different security levels. To manage this process, agencies are using improved end-user management capabilities so that only users with the right access, in the right location, have access to restricted information.
The IT department, with proactive, appropriate security controls, no longer has to be the ‘land of no.’ IT managers can look at the individual, endpoint level and stop controlling functions that can be handled at the user profile level. Using existing technology, IT can strike the ideal balance: End users enjoy a more open and flexible environment and maintain the personalization they desire, and IT can rest easy that security controls are proactively in place for all sensitive applications.
Jim Mills is director of federal markets for AppSense.