Baseline Magazine - January/February 2009

“Pretty much any input port on the PC can be locked down, including infrared and Bluetooth,” he says. “And you can build a whitelist of devices to enable them, rather than blocking everything.”

Understand what’s missing from your anti-virus and desktop firewall solutions and decide how you want to fill the gaps. Just because your users have desktop anti-virus protection and firewalls doesn’t mean that these systems are running or have appropriate updates. Many IT shops are complementing these security products to provide better endpoint protection.

One method is to start with an anti-virus supplier and then migrate users to a more complete network access control (NAC) product that can work in conjunction with the operating system. You can stick with your existing anti-virus supplier and either upgrade to its NAC product or use someone else’s NAC software. Another option is to scrap your anti-virus supplier for a more comprehensive solution.

Take SouthCoast Bank in Pleasant, S.C., which decided to upgrade its Sophos anti-virus software. “We originally wanted to open up our network to transfer files from our customers to make it more convenient for them to do overnight deposits,” says Paul Hollen, the bank’s chief operating officer. “I was nervous about the potential exposure, and that’s how we got started looking at NAC solutions. The more I looked at it, the more I wanted the NAC piece running on our internal Windows PCs as well.”

The bank upgraded its anti-virus clients with the full NAC solution, which is now on more than 300 PCs. “We now have better controls,” reports Hollen, “such as for guest workers like the repair technicians who want to bring their laptops into our networks to fix our multifunction printers.”

The city of Miami decided to scrap its existing anti-virus solution in favor of eEye’s Blink security software. It chose this product because of its promise of being able to protect the city’s machines from zero-day exploits.

“What really helped was eEye’s willingness to put skin in the game and work closely with us during testing, pilots and the eventual rollout,” says Nelson Martinez Jr., systems support manager for the city’s IT department. “That really separated them from the pack.”

FN Manufacturing took a different tack and added Skyrecon’s Storm Shield security software to complement its existing Trend Micro anti-virus solution. “We needed something better than the individually managed firewalls on our laptops,” says Olivier Vanderstraeten, the network security manager of the Columbia, S.C.-based weapons manufacturer.

“We wanted something we could centrally manage, especially after we calculated how much time we were spending updating our security policies. Also, many users don’t bring their laptops to our offices, so, this way, we can make sure they have the latest updates.”

SECURITY

Set identity access policies carefully. As the number of compliance regulations increases, it is harder to understand their implications in terms of which staff is responsible for maintaining which identity access repositories. Often, enterprises end up having multiple sources with conflicting policies.

At Citizens Bank in Riverside, R.I., David Griffeth, vice president for business line integration, did an extensive overhaul of his identity management program. In the process, he found that the automated provisioning tool was not sufficient for role management.

“We needed to efficiently create roles to marry people with processes and technologies,” he says, “but found that [the existing solution] didn’t support the role management life cycle and didn’t include applications outside of its provisioning scope. We also found that our program wasn’t as dexterous as the business: As soon as our business needs changed or we acquired another bank, we had to use paper forms to update our systems. The worst thing for an identity management program is to go stale and not evolve at the rate of your business.”

The bank wanted a solution that would define roles quickly and maintain them efficiently. In the end, it chose Sailpoint. “We can see application profiles and which departments have access to them on a daily basis,” Griffeth says, “and we can manage this when change occurs. Our new program cut down access to various systems by 10 percent or more, and really tightened things down.”

Choose encryption and apply it intelligently at the most appropriate places around your network. After studying its encryption needs, Prudential Financial chose Vormetric’s Data Security Expert encryption software. The software “gives us the ability to effectively encrypt server-based data at rest and manage that protection effectively,” explains Thomas Doughty, Prudential’s chief information security officer. “We had some customers who needed a tool to encrypt data at the device rather than re-engineering any of our databases.

“We wanted to remove the burden of encryption from the servers that held our data so that we could operate at wire speeds. This is different from whole-disk encryption products—which are still important, especially for mobile users who have to carry confidential data with them. With the Vormetric system, our customers’ data, such as group health insurance plans, are encrypted before any information enters our servers, so we can be sure that we can manage and protect the data properly.” The solution was also attractive because it can scale as Prudential’s business increases.

There are many endpoint security solutions. The key is to understand what needs protection and to find out what’s missing from your existing security strategies and solutions.