The White, the black and the grey…

Most organizations believe they have a fairly clear picture of how their enterprise network is configured and the devices attached to it. When it comes to identifying rogue assets, it’s usually a matter of white or black.

Whitelisted assets are clearly inventoried and actively managed by the enterprise. Blacklisted assets can include virus-infected computers or machines that may pose no overt harm, but do not conform to the enterprise security dress code.

IT departments must now also deal with a third class of network assets, greylisted devices. Greylisted devices are usually brought into an organisation by employees and used to perform legitimate work. They often tend to be consumer products that users believe are faster, easier to use, and generally more advanced than standard equipment issued by the enterprise. Can you say iPhone?

For many end users, it can be a painful experience to use a 3 year-old computer when they believe that performance of currently available equipment has quadrupled since their office PC’s purchase date. On the software side, users might ask why they should put up with stodgy e-mail when they really want to exchange text messages. And if 70% of their hard disks are empty, why not fill that space with MP3 files or wedding photos?

Many IT managers would argue that managing greylisted assets is easy – simply ban them from the infrastructure. But it’s not that simple. End user claims of improved productivity might have an element of truth in them. Secondly, the cost of alienating younger workers may be too high. Finally, technology that end users bring with them is very often technology that their organisation doesn’t have to buy. Like it or not, greylisted assets need to be factored into IT management programs.

Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for getting a handle on the greylisted assets problem. After all, how can you manage what you don’t see? Visibility must extend to greylisted assets’ configurations and their actions on the network. It’s not enough to know that a non-standard PC has just logged on. You also need to know what software the machine runs, and whether it is running any processes that could disrupt the infrastructure.

As IT managers have less control over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a policy-driven approach to information security management that encompasses both conditions and actions. Policy can be an all-encompassing term that can specify conditions – ‘Our policy is that all Windows XP devices should have the latest Microsoft patches’ – or processes – ‘We forbid transfer of documents containing credit card numbers to USB drives.’

Policies also have the advantage of a preemptive bias rather than a reactive one. A policy is a higher-level description of a positive result that may be accomplished through a number of associated automated decisions about eligibility (‘Does this PC really need this patch?’) and execution (‘If yes, load patch, restart machine, confirm configuration, report back.’)

It’s a cliché to say that the IT security threat environment is evolving faster and becoming more dangerous. With the proliferation of greylisted devices, IT infrastructure security and configuration management is also becoming more ambiguous. The issues are progressively moving away from questions of black and white to shades of grey. As this occurs, managers should focus on policy-based approaches to managing what happens to information rather than fending off individual threats to the integrity of hardware or software assets.


8 thoughts on “The White, the black and the grey…

  1. ” Secondly, the cost of alienating younger workers may be too high. ”

    That was the topic of an article I read this morning in the WSJ tech journal…..the so called Millennials are much more likely to shrug off IT policies than older employees if the policies try to restrict which technology they use to get their job done.

    So if I understand you right, the IT policies should be a function of user behavior or information movement (not sure that is the right term) rather than on what device or software the employee is using?

  2. @Jon

    Absolutely, as mobile devices, such as iPhones become more ubiquitous and there is little difference between a laptop, desktop, and other device are used than it is imperative that organizations look at usage of data and services, as opposed to tying to manage devices as disparate entities with little overlap between them.

  3. So let’s say you go with this approach. Are you saying that we would be left with strong data security, but with lots of grey devices in our networks, doing god-knows-what and in various states of secure down through pants-already-down?

    Or maybe you want more NAC-type stuff, but doesn’t that mean I need either administrative rights to Bob’s iPhone so I can examine it, or he needs to let the NAC inspection occur with rights, or my inspection needs to break into it and grab control? Isn’t this just a more complicated form of signature-based AV, only with systems? And how can I possibly anticipate all the various grey devices my users might bring in?

    I’m not so sure I’d buy moving away from a “Don’t use devices not approved by IT,” stance.

  4. @Lonervamp

    Now I never said that you shouldn’t manage devices, in fact IT has to, I am making several statements

    1. Recognize that these devices will access corporate services and data – they can’t simply be ignored
    2. IT needs to manage these devices just as they would a laptops or desktops – there is little difference between the laptop Bob in accounting uses to access a SaaS app and the iPhone he uses to do the same.
    3. The impetus to manage these is being driven by the potential loss of data, the inability to scope the problem due to a lack of visibility and a desire to understand the impact of such non-corporate owend assets on productivity, cost, etc…
    4. And, unfortunately NAC can help if it actually worked, didn’t cost an arm and a leg, and they had the ability to even identify such devices

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s