Most organizations believe they have a fairly clear picture of how their enterprise network is configured and the devices attached to it. When it comes to identifying rogue assets, it’s usually a matter of white or black.
Whitelisted assets are clearly inventoried and actively managed by the enterprise. Blacklisted assets can include virus-infected computers or machines that may pose no overt harm, but do not conform to the enterprise security dress code.
IT departments must now also deal with a third class of network assets, greylisted devices. Greylisted devices are usually brought into an organisation by employees and used to perform legitimate work. They often tend to be consumer products that users believe are faster, easier to use, and generally more advanced than standard equipment issued by the enterprise. Can you say iPhone?
For many end users, it can be a painful experience to use a 3 year-old computer when they believe that performance of currently available equipment has quadrupled since their office PC’s purchase date. On the software side, users might ask why they should put up with stodgy e-mail when they really want to exchange text messages. And if 70% of their hard disks are empty, why not fill that space with MP3 files or wedding photos?
Many IT managers would argue that managing greylisted assets is easy – simply ban them from the infrastructure. But it’s not that simple. End user claims of improved productivity might have an element of truth in them. Secondly, the cost of alienating younger workers may be too high. Finally, technology that end users bring with them is very often technology that their organisation doesn’t have to buy. Like it or not, greylisted assets need to be factored into IT management programs.
Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for getting a handle on the greylisted assets problem. After all, how can you manage what you don’t see? Visibility must extend to greylisted assets’ configurations and their actions on the network. It’s not enough to know that a non-standard PC has just logged on. You also need to know what software the machine runs, and whether it is running any processes that could disrupt the infrastructure.
As IT managers have less control over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a policy-driven approach to information security management that encompasses both conditions and actions. Policy can be an all-encompassing term that can specify conditions – ‘Our policy is that all Windows XP devices should have the latest Microsoft patches’ – or processes – ‘We forbid transfer of documents containing credit card numbers to USB drives.’
Policies also have the advantage of a preemptive bias rather than a reactive one. A policy is a higher-level description of a positive result that may be accomplished through a number of associated automated decisions about eligibility (‘Does this PC really need this patch?’) and execution (‘If yes, load patch, restart machine, confirm configuration, report back.’)
It’s a cliché to say that the IT security threat environment is evolving faster and becoming more dangerous. With the proliferation of greylisted devices, IT infrastructure security and configuration management is also becoming more ambiguous. The issues are progressively moving away from questions of black and white to shades of grey. As this occurs, managers should focus on policy-based approaches to managing what happens to information rather than fending off individual threats to the integrity of hardware or software assets.