Ask any Windows administrator or security professional and you'll find widespread support for locking down PCs by removing users' administrative privileges. Why then have so many IT organizations been unable to implement better controls in their desktop environments?
The truth is that removing admin rights is only part of an application control solution. IT organizations still need to address many critical requirements, such as:
" How can you overcome organizational resistance to more control on the desktop?
" How will legitimate software be installed without overburdening the IT staff?
" What policy should be applied to users who must install software, such as engineers or executives?
This article examines answers to questions like these and outlines a nine-step methodology that can make or break your transition to a well-managed and controlled Windows environment.
Flexibility Makes Application Control Possible
Up until now most employees have enjoyed total control over how they use their company PCs. But CIOs and IT departments are under tremendous pressure to implement better processes over how software is deployed, managed, and used on these computers. Security problems, the pressures of compliance, and the ongoing onslaught of user-installed software that disrupts the smooth operation of the PC itself all contribute to a growing cost of ownership of PCs, along with greater risk of data loss and breach.
These forces have contributed to a growing desire to lock down users' computers, often by removing administrative privileges in the Windows operating system. Unfortunately, this often leads to more problems than it solves. This technique has all-too-often proven itself to be inflexible, burdensome, and overly restrictive for the business.
For exactly these reasons, Windows administrators are turning to a more robust, more flexible solution called application control. This lets IT departments easily create policies for the various user populations they manage that dictate what software users can and can't run. With automation capabilities and a rich set of integration tools, an application control solution is a key element in bridging the gap between complete liberty and total lockdown.
But like most projects worth doing, implementing an application control solution is more involved than just purchasing some software. That's why we have created the following methodology for achieving application control. By following these guidelines, you can gain better control over the software in your environment while ensuring an easy transition for your users, and minimal administrative overhead for yourself.
The Nine-Step Methodology for Application Control
The following methodology will lead you through the steps required to get full visibility and control over the applications running in your Windows computer environment.
Phase 1: Plan
Like any well-executed project, the road to a more controlled computing environment begins with a good plan. The first phase of this methodology, therefore, leads you through setting goals, winning support from business stakeholders, and making choices in technology and architecture.
Step 1: Set meaningful goals.
Key Consideration: Clear goal definition.
You first must decide what control policies make sense to institute for your organization. Examples of policies include:
- Preventing the installation or execution of unauthorized software
- Blocking data transfer to unencrypted portable storage devices
- Blocking applications with known vulnerabilities from executing
To create this policy effectively, it is very important that you understand the needs of the business. Some user groups will need a flexible policy, while others can be more tightly controlled. You must look at each of the business units you provide services for, and craft a policy that allows the freedom their users seek, and the control that IT requires.
Step 2: Win support from business stakeholders.
Key Consideration: Setting expectations.
Once you have put a skeleton policy together, the most important thing you can do next is communicate the plan to the people who will be most affected by it. This will help eliminate any misconceptions about the purpose and desired outcome of the project.
Here are two things you can do to help facilitate this process:
- Provide evidence and data: Most of the fear associated with a tightly controlled environment comes from a lack of understanding about how the policy will play out once it is in effect. By running policy simulations and presenting "what-if" scenarios, you can persuade your business counterparts that the policy will have a beneficial effect.
- Help business owners make decisions: Rather than recommend a set of best practices to a business owner (whose first reaction may not be accepting), instead work with them to develop a set of "necessary practices," or actions you can take, based on available data, that will have a significant effect in terms of operational efficiency and security. In essence, help your business users grab the low-hanging fruit.
Step 3: Choose technology and develop architecture.
Key Consideration: Architect for the dynamic desktop.
As you evaluate the technology available to you, be sure to set clear requirements for comparison. The following list contains a set of critical attributes of any desktop management system, driven by the inherent dynamic software environment that exists on Windows PCs:
- Automation should be employed to manage patches, deployments, etc.
- Administrative overhead should be minimal
- Policy exceptions should be handled easily and immediately
- Users should not be able to circumvent policy
In addition to these requirements, you must also evaluate how the technology:
- Integrates with existing software and desktop management systems
- Ties into your existing processes for deploying and supporting end-user software
- Leverages broad-based trust policies tied to users and software publishers
- Connects with your Active Directory system
Once you have completed these planning steps, you will have laid the groundwork for a desktop control system that is aligned with your policy goals, business users, and existing technology and process.
Phase 2: Implement
You are now ready to begin the implementation phase of your project. This portion guides you through developing the policy, connecting it to existing processes, staging the deployment, and managing expectations.
Step 4: Build policy and connect to existing processes.
Key Consideration: Leverage existing practices.
Nothing can doom a new policy faster than disruption. That's why you will be best served by leveraging as much of your existing practices as possible to both define and manage your policy.
Some of the ways you can minimize the impact of your new policy in this phase are:
- Your users will still expect to run applications from software archives, CD libraries, or intranets - make sure your policy is implemented to account for this.
- Existing software management practices may involve imaging, software deployment, and patch management. Integrate with these systems for application control to seamlessly update policies.
- Create an exception handling process for dealing with policy conflicts. Your trouble-ticket system can help you delegate decisions with minimal involvement from IT and users.
Step 5: Stage the deployment.
Key Consideration: Create quick wins.
As you roll your policies out to users, it is best to start with a specific environment with well-defined rules. Users in a call center, at remote offices, mobile workers, kiosks - these are all examples of environments where the information and control processes can be localized and managed in a straightforward way.
Leverage these smaller groups to work out the kinks in your operational processes. What you learn here will be invaluable for defining support procedures, exception handling processes, and making sure that you have all the information you need as you roll out policies throughout the organization.
Step 6: Communicate and manage expectations.
Key Consideration: Responsiveness.
As you continue to deploy policies, it is very important that you be clear about the intentions of the policy. Communication does not stop at the planning phase, but continues all through the project. Setting up a system for feedback and resolving issues in a timely manner can be the difference between a supporting relationship or an adversarial one with your users.
Just as you provided evidence in data during planning, you can continue to work with your business units and show the success you are achieving with your early deployments. Reinforcing your common goals and showing how you are collectively making progress towards them will ease any tensions that may arise.
In completing the implementation phase, you will have deployed application control policies to all your user groups that match their business needs, using pockets of success to build momentum, credibility, and reliability in the project.
Phase 3: Enhance
In this phase, your application control policy becomes operational. You continue to monitor and manage your processes at the help desk and throughout the rest of your IT organization, measuring success as you go.
Step 7: Manage the IT Help Desk.
Key Consideration: Minimize exceptions.
Most projects to lock down user workstations fail here, at the help desk. Traditional control policies involving only user privileges and Active Directory leave too much to the administrator, so that every little widget that the user needs installed - from browser plugins to PDA software to business applications - must be handled by central IT.
A good application control system will have capabilities that automate all the repetitive aspects of application control, minimizing the effort on the help desk. This gives you the ability to monitor these activities and optimize your exception handling process according to a simple set of rules:
- Push exceptions out to business managers where they can assume the responsibility of allowing non-standard software to run.
- Monitor exceptions as you add new software into the environment to ensure that your automated software approval mechanisms are tuned.
- Follow trends in exceptions to anticipate users' needs, for example, when a new piece of software becomes popular in a particular group.
Step 8: Build proactive practices.
Key Consideration: Access to information.
Continue to analyze the data you collect about the software in your environment so you can identify trends in application usage behavior. Software propagation patterns can be invaluable because they are the key to a proactive IT organization. Imagine being able to vet and approve a new application even before users call into IT asking for it.
As you monitor this data you will doubtless discover software that you don't recognize. This is where a software identification service can be a critical tool. Easy access to the latest information about the world's software - including products, publishers, and security analyses - can help you deliver an unprecedented level of service to your users.
Step 9: Measure success.
Key Consideration: Confirm with proof.
The results of an effective application control policy are clearly visible and easily measurable. Be sure to capture this information and feed it back to the organization. Some of the best areas to measure success are:
- Compliance gap analysis
- Security incidents
- Help desk ticket volume
- Mean time to resolution
- Time allocation across IT (reactive problems vs. proactive projects)
Application control has a dramatic effect on the compliance, security, and manageability of a Windows environment because it provides such a high degree of visibility and control over all the software running on those PCs.
By using this nine-step methodology, you will be able to navigate the cultural, operational, and technical challenges associated with instituting control over Windows software in use by an empowered workforce. The path presented will let you achieve the benefits of lockdown while preserving the liberty that PC users have grown deeply accustomed to.
About the Author
Brian Gladstein is the director of product marketing at Bit9, Inc., a leading application control and device control provider. Prior to Bit9, Gladstein was a product manager in RSA Security's SecurID group. Before that, he specialized in sales and marketing for Relicore and WebLine Communications, among others. Gladstein received his MBA from the Stanford Graduate School of Business and holds a B.S. in Computer Science from the Massachusetts Institute of Technology.