Configuration Management Goes Mobile

New software fixes mobile computers that deviate from corporate standards

When it comes to securing the network, security administrators can throw their time and energy into maximizing corporate LAN security. Yet there’s always a nagging question: what about everything else that connects to it? Most-insecure culprits include business partners and mobile employees.

While shared-security policies can keep business partners on their toes, mobile users are a different story. Sure, security managers can install software-based firewalls on laptops and ensure antivirus updates run weekly. Yet what’s to ensure (or prove) users let such programs run? How many users, when they’re on the go, just exit from the antivirus update, or deactivate the firewall to share music on peer-to-peer networks or access their home network’s printer?

Then those same users access the corporate LAN via dial-up and VPN, exposing businesses to viruses, worms, and Trojan code.

“A network is only as secure as the remote machines that are allowed to connect it,” notes Mark Nicolett, a Gartner Group research director.

According to new research, remote machines aren’t very secure. In a three-month survey of consumers’ PCs this year, ISP Earthlink discovered each PC had an average of 28 pieces of spyware software on it.

All the network-based defenses won’t help if mobile users are dialing in using already compromised computers. It's no surprise, then, that for security managers, “enforcing security and configuration policies on mobile clients is critical,” says Nicolett. Yet given the reality of mobile computers keeping a physical eye on them is nearly impossible. Better is software “that can automatically assess and enforce configuration standards on remote machines,” he says. The alternative: "a gaping security hole in [the] IT infrastructure."

“Enforcing configuration and security standards on mobile machines is one of the biggest challenges facing enterprises and government agencies,” notes Alexander Goldstein, CEO of software vendor Configuresoft.

New software can help by screening mobile devices before they connect. Some VPN software, for example, can deny machines with out-of-date antivirus software network access. Software agents can likewise monitor a PC’s (relative) security health, and alert administrators if patches and software updates lag.

Another avenue for watching mobile PCs is configuration management software. For example, Enterprise Configuration Manager (ECM) from Configuresoft watches the network for mobile devices. Whenever a mobile Windows-based system logs on to the LAN, ECM scans the machine and compares configuration settings and patches against a known-good list. If the machine fails on any front, ECM automatically corrects the problem. More time-consuming maintenance can also be delayed until dial-up machines are back on a corporate LAN.

Software such as ECM lets organizations “automatically identify and rein in machines with rogue configurations,” says Goldstein. It also includes an audit trail, recording such details as which changes or patches were applied, plus a list of remote-connection activity.

For organizations in industries that must comply with such government regulations the Gramm Leach Bliley Act, or the Health Insurance Portability and Accountability Act, such an approach—and the resulting audit trail—can illustrate how the organization is dealing with the mobile-security threat, not to mention allow security managers to better secure their organization’s mobile devices.

Related Story:

Q&A: Securing Mobile Workers

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.