Client management becomes security guard for endpoints
Desktop tools evolve to help IT with internal security on endpointsBy Denise Dubie
Managing client devices continues to challenge IT staff looking to equip end users with productivity tools while also protecting networks from errant behavior on the desktop.
"One of the biggest challenges for today's IT operations group is the management of an increasingly distributed and heterogeneous environment," says Natalie Lambert, senior analyst at Forrester Research. "Despite their efforts to standardize, the client environment is in a state of constant change."
Client systems management, once referred to as desktop management, has become more critical over the past several years as end users have become more mobile and client machines range from standard workstations to laptops and mobile devices such as PDAs and BlackBerries.
"This means that IT operations must now maintain multiple operating system images, deploy hundreds if not thousands of applications, and assure patch and system security compliance - knowing all the while that system connectivity to the corporate network is not guaranteed," Lambert says.
Just ask Matt Giblin, senior systems analyst at Mercy Health Services in Baltimore. He chose a vendor, Altiris (now part of Symantec), which he believed could address the spectrum of management and security needs. Yet he still finds challenges in managing client devices; among them is keeping up with systems and software since, despite his best efforts to standardize the software and systems on machines, changes happen.
"The pendulum has shifted from hardware being difficult to support. Now the operating systems and applications are complex, and it has to get easier to support multiple operating systems and applications," Giblin says. "It's an always-changing environment, and it's critical just to keep up with the changes."
Today's client management vendors are working to ease the burden of managing multiple, distributed client machines with features designed to address related issues.
Companies such as Symantec, CA, HP and LANDesk (now part of Avocent) are upgrading their client management tools into integrated suites to address client life-cycle management, security and compliance management, and application management from the end-user perspective.
Client management suites must include operating system management, software management and systems management capabilities, but industry watchers say that going forward integrated software packages also must feature integrated security tools and data leak prevention technologies to help client managers maintain performance and security on client machines.
"While the IT operations group traditionally handles all of the PC management tasks, they are finding themselves stuck in the weeds with the day-to-day administration of security tools," Forrester's Lambert says. That means client managers are expected to also handle antivirus, antimalware, patching and access control policies on end-user machines.
"The operations group is struggling because solutions are still deployed as point products, and no single solution gives end-to-end insight into the system inventory, security posture, and overall state of compliance."
Client management vendors are incorporating intrusion prevention systems into their suites that use existing server and agent technology to better secure endpoints. For instance, LANDesk introduced add-on software that the company says helps network managers secure internal networks from unknown threats by monitoring traffic, learning behavior and alerting when anomalies in known behavior occur. LANDesk says its software performs such tasks as behavioral blocking, whitelisting, blacklisting and compliance enforcement when it detects traffic in conflict with predefined security policies.
LANDesk also incorporates a network access control (NAC) element, the company says, that can prevent client access to a network if it doesn't meet patch or systems security levels, for instance. Industry watchers say such security measures will help client management teams looking to keep desktops and laptops available and secure. The convergence of management and security in such technologies reflects changes in IT organizations looking to protect internal networks as much as the perimeter.
In its March 2007 report entitled "Client Management 2.0" Forrester says that many security teams in enterprises are passing client security and network access responsibilities to the IT operations groups.
"For example, desktop operations staffers handle not only upgrades to your PC but also the patching and antimalware updates that maintain system compliance. Similarly network administrators just as comfortably set firewall access control lists as switch and router ACLs," the report reads. "Consequently, security and access control are becoming part of the overall management of your IT environment."
NAC is network-focused, Forrester says, but because much of the endpoint security lies with the desktop operations group, newer technologies will emerge to enable better endpoint security. And Forrester predicts another technology will grow out of NAC, proactive endpoint risk management, or PERM, which would encompass multiple solutions and serve as NAC 2.0 for client systems management and security. The research firm defines PERM as "policy-based software technologies that manage risk by integrating endpoint security, access control, identity and configuration management."
And while, like NAC, PERM is not yet complete, Forrester predicts the technology will take enterprise management and security by storm in the next three years.
"Proactive endpoint risk management isn't far off -- in fact, the landscape has already started to develop," the report reads. "Forrester predicts that client security suites will be the first to evolve, with Microsoft and Cisco only an acquisition -- or two -- away."