Have you ever wondered how efficient your systems management is? Here’s some questions that will allow you to create some metrics of that:
How many network interfaces are currently connected to your IP network?
How many hosts are there, and what OS are they running?
For each OS, how many systems are up to date with the latest patches?
How long did it take to complete the latest patch cycle (that successfully updated 100% of the OS population)?
For the systems that run an antivirus/malware protection, how many are up to date with the latest configurations?
How many users are currently conected to the network?
Except for the last one, you should have a way of answering those questions. If you don’t then you can stop pretending that the systems connecting to your network are actually managed.
You can as well remove the network from the picture (maybe because endpoint security is not there yet) and consider the entire fleet of computer systems that belong to your organisation. But I reckon that won’t help much answering the questions. How do you know what’s on the system that hasn’t connected back to your network for three months? Information about its patching and malware protection state, application environment and the user is not available. So perhaps we’ll have to wait for the system to connect back to network where it can be managed (which brings us to question 1)?
No. The Internet is also your network. And there is a good model to follow for systems management: BlackBerry Enterprise Solution. It allows to buy a device off the shelf and build it to become a part of your enterprise – securely. It is location- and connectivity-independent. And it allows to configure the devices in a way that they self-destroy after not calling home for extended period of time. restrictions do apply here but this is where it’s going. So at every point in time you have reasonable idea of the current status of your systems – and the answers to the questions above. Restrictions do apply here but this is where it’s going. I’d like to see similar type of approach implemented for Windows and UNIX/Linux workstations.
The alternative is to give up the workstations and concentrate on the server room/datacentre security. It should be easy to provide the metrics for the server-only environments. In this case, document control becomes a real issue. Perhaps thin client access will help? Maybe, but I’m not overly enthusiastic about taking away the sense of my computer from the users. And thin client environments can be spectacular disasters.
Good systems management has everything to do with security – they go hand by hand. It is a responsibility of security administrators too to make sure that the systems are properly managed. Another responsibility is to model the situations where systems management will fail (due to intrusion, or negligence), and have a plan for the response. But if security management excludes some systems and users that have access to your information, however insignificant they are – that becomes the weakest link where the entire organisation’s information security fails.