7.4. A Clean Desk(top)
If your organization is large, you might also have a desktop team, known as desktop management, desktop security, or other monikers. This team manages any and all computing (and input) devices that your organization owns and operates, or manages. So, any device that the organization owns or manages, or that an employee or a contractor operates, falls under the purview of such a desktop management team.
|
A desktop management team is ultimately responsible for
The actions of any computing device that the organization owns, operates, or manages, including what happens when a device attempts to access the organization's network.
Anything and everything that's initially loaded or subsequently downloaded onto the device, including any software applications.
Any sort of hardware, storage, or other device type that's ultimately attached to a computing device.
Policing desktop and other computing devices to ensure that users are maintaining the devices properly, which includes checking the devices for applications that the organization bans or hasn't approved. These applications can include instant messaging, peer-to-peer, file sharing, and other applications that can act as a Typhoid Mary of malware or open the network, applications, data, and the whole organization to hack or attack.
Ensuring users don't use devices that the organization's security policies forbid, such as USB drives. Or the team may restrict a user from using specific devices and programs, such as USB drives, Bluetooth devices, or IM, when accessing certain servers.
Creating and enforcing the desktop and endpoint security policies of an organization, and helping police the endpoints to ensure that users comply with these policies.
Making sure that any endpoint device which the organization manages has required antivirus, anti-spyware, or any other anti-malware software loaded onto it. If the device requires patch-management capabilities, the desktop team needs to make sure that the device receives those capabilities.
Desktop rightsA desktop team provides administrative rights and privileges for endpoint devices. Like the network security team, the desktop team holds administrative rights and privileges for endpoint devices very close to their vests. They don't hand those rights and privileges out to every user, and for good reason. If a user receives administrative rights and privileges to his or her endpoint device, he or she can enable the endpoint's access privileges, or delete or alter the endpoint's security capabilities. For example, if a user deactivates malware scans or turns off other forms of endpoint protection, he or she leaves the endpoint vulnerable to attack. That endpoint can even become a Trojan horse for a hacker, who can gain entry into the inner sanctum of the organization's network by piggybacking on the unsuspecting user, who (along with his or her endpoint device) is an authentic, authorized employee or other user in good standing. Then, after the user and the device access the network, the hacker springs his or her attack onto the network, capturing once-private, sensitive customer or corporate data and intellectual property, selling it to the highest bidder or holding it for a king's ransom to be paid by the bilked organization; or, threatens to unleash a malware attack to take down the organization's network, unless they are paid handsomely. So, the desktop team, like the security team, holds the endpoint's keys to the kingdom — the administrative rights and privileges — and doles them out only to certain users, as needed. |
7.4.1. Not-so-secret agents
If your organization has a desktop management team, get that team actively involved in the definition, selection, and deployment of a NAC solution — particularly if the NAC solution includes any type of software that needs to be loaded or downloaded onto the endpoint device or if the NAC solution requires a piece of hardware (or even firmware) to secure the endpoint device.
Many NAC solutions include a client or an agent. The client or agent may be a full preloaded client, an 802.1X supplicant, a persistent agent, or even a dissolvable agent. If an organization-managed endpoint device needs to upload or connect to any software or device as part of the NAC solution, the desktop management team should and likely will be involved in the NAC solution selection and test process.
If the organization's desktop management team needs to become involved in the NAC process, particularly if the NAC solution has a client or agent involved, that team will likely want to discuss the configuration and download process; the speed and size of the client or agent; and whether the NAC solution preloads or downloads the client package, or whether the NAC solution downloads a persistent or dissolvable NAC agent. The desktop management team wants to be involved in the NAC process so that they can ensure
No impediments prevent users from accessing the network with their devices in the shortest time possible.
The client or agent, as well as the complete NAC solution package, doesn't interfere with the already-created and -defined policies of their existing malware protection (that the organization has approved and the desktop team has loaded or downloaded to each endpoint device that they manage).
If the NAC solution requires a client download, the client operates seamlessly with their current system management tools, enabling the desktop team to preload the client as part of any existing image package or push the client to each endpoint device for quick, easy deployment and upgrading, if needed.
Their team can test and approve any updates and upgrades to the client or agent before the vendor, an integrator, an MSP, or the desktop team themselves uploads or pushes those changes to the users' endpoints.
They can vet and test any updates that the NAC solution makes to operating system or application patches, as well as antivirus or other anti-malware applications loaded on a user's device before they can manually or dynamically push those changes organization-wide.
In short, the desktop team can do its part to ensure that they can identify and eliminate any potential issues or incompatibilities before those issues occur and propagate in the actual environment, creating user panic and helpdesk nightmares.