The rapid evolution and personalisation of the ‘desktop’
Every admin knows it: written policies aren’t worth the paper they are printed on, writes Mark Austin, CTO of Avecto
The PC desktop is changing so fast that what used to confidently be called the ‘desktop’ is undergoing the sort of rapid evolution bound to throw up new and unfamiliar security challenges. Technological developments such as smartphones, tablets and mobile operating systems can be wheeled out to partly explain this change.
However, it is to the humble user rather than computer architectures of network topologies we must pay the closest attention to if we are to understand how the business desktop will be reshaped from the ground up over the next decade.
Put simply, employees are downloading and accessing a host of ‘grey’ mini-applications, services and browser plug-ins on a sometimes-industrial scale to run in parallel with traditional software licensed or developed to do the everyday work of a business.
As well as introducing a high degree of uncertainty and risk, this turns the established model of software deployment on its head. Where once, IT staff decided what ran, now employees have been handed the discretion to run what they fancy.
What use is policy?
Organisations might want to ban alien applications and social media plugins, but they are also aware that some of these services and applications are part of longer-term industry changes that can also generate new possibilities for a business. Can a way be found to reconcile the two worldviews?
Most organisations have a written computer usage policy to define authorised behaviour, which in specific instances will be enforced with an extra layer of technology to control which applications can run on a PC or open a port through the firewall. That offers certainty but is a blunt instrument that fails to address a range of underlying issues.
What happens if users misunderstand, forget or ignore the policy, or are simply socially engineered into installing risky applications? Can organisations any longer rely on mere usage policies to form a reliable part of their compliance stance? In any event, can applications be efficiently managed if IT staff lack reliable tools to perform simple discovery and control on a continuous basis?
One powerful and flexible tool with which to impose order on the chaos is a privilege management system such as Avecto‘s Privilege Guard. Technically, privilege management is a way of controlling applications that demand admin rights under Windows to function, a legacy programming model that presents obvious security risks.
Where once IT staff decided what ran, now employees have been handed the discretion to run what they fancy
Using such a system in a least-privilege setting offers a way of blocking harmful applications (which often ask for admin rights to gain control of a target) while allowing ‘standard’ users to elevate these privileges according to pre-defined policies. But it doesn’t stop there.
Privilege management systems also come with a discovery and auditing function that admin staff use to assess the type of applications and rights used on a network over time; this provides a neat starting point from which to create a digital usage policy to then replace the written protocols.
Bad management and the grey area
Once armed with a comprehensive picture of which applications are being used and under what conditions, the next stage is to divide applications into categories according to risk or their use to the business.
Leaving aside the hopefully small number of dangerous applications, there is no simple answer as to which applications and services run, and which donít. Suffice to say, this is a grey area that demands the attention of IT teams and staff consultations. Imposing a digital usage policy from ‘on high’ is bad management.
A particularly difficult example is that of social media applications. For staff in one department, these may offer no concerns to the business, while in another one down the hall data security issues would make unguarded use unthinkable.
Other examples are consumer cloud storage services such as Dropbox, which has risen to prominence for the way it allows users to cope with data files across multiple types of ‘desktop’ – whether PC, smartphone, tablet and even home computer – without resorting to insecure flash drives. Many businesses without private clouds are keen to access such services, but worry about the risk to data accessible from multiple systems using uncertain authentication, remotely managed encryption with no auditable compliance to speak of. Assessing where the limits lie with such services can be complex.
Installing without warning
Adopting privilege management concepts will not necessarily offer a complete solution thanks to a growing band of apps Windows 8 ‘Metro’ apps for one – that install without asking for elevated rights.
Granted, Microsoft‘s design improves on the mistake of creating applications that require privileges and end up being funnelled inefficiently through Windows User Account Control, but leaves hanging the question of whether even standard user apps should be allowed in the first place.
The challenge of Windows 8 apps is that the number of possibilities increase from the few dozen usual suspects found in todayís desktop environment to potentially thousands or even tens of thousands.
A clear answer could be application whitelisting (allowing a pre-defined group of applications), or its twin: blacklisting (disallowing specific applications). As far as Windows 8 is concerned, Microsoft provides tools to manage Windows Store apps through AppLocker Group Policy. However, privilege management systems will also do the same job in a way that then integrates with broader application management requirements.
Because it is impossible to authorise each and every app dynamically, the best way to proceed is to define a family of acceptable apps using whitelisting, updating this policy as regularly as practical.
The specific example of Windows 8 apps underlines the importance not simply of auditing the applications being used, but of doing the same for the policy itself. Digital policies should never become fixed in stone; a good policy is always as recent as possible.
The conclusion from all this is that the new desktop is dynamic, fast-evolving and defined as much by what users do as what IT vendors deem to be useful. The user is now in control of the organisationís destiny and IT teams need to adapt. Thatís a huge change that asks not only for a new mind-set, but the tools to make such a world possible. What admins can’t do is cling on to the past and its fading certainties.