RES Software and Security: Realizing Asset
                                   Centric and User Centric Approaches to Secur...
Users are No Longer Bound to a Single Device                     Ensuring that information is accessible only to
The quest...
The ISO 17799 standard is related to information               centric and user-centric. The asset-centric
Upcoming SlideShare
Loading in …5

Sites Collaboration Ma Resources Res


Published on

Device Centric and User Centric Approaches to desktop Security

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sites Collaboration Ma Resources Res

  1. 1. RES Software and Security: Realizing Asset Centric and User Centric Approaches to Security Executive Summary In the rush to meet regulatory or customer although assets still need to be kept secure, the mandates, organizations have spent millions of need arises for a user-centric security approach dollars implementing security and compliance where security rules are aligned with the use of measures either issue-by-issue or regulation-by- those assets. regulation. This has resulted in an asset-centric security approach, where we focus on the IT This white paper presents an overview of both the infrastructure and make sure that this is secure. asset-centric and the user-centric approaches to security. These approaches will be mapped towards However, in the current versatile user community, the standard for Information Security: ISO 17799. a user is no longer bound to a single device. So, Security Why Does Security Matter? Availability Information is an important asset in our current Currently, an important job for many market. As a result, businesses want to manage administrators is to ensure that authorized users information as an asset, but at the same time, they have access to information and the associated are evolving towards collaboration with other assets when required. companies in order to fulfill customer needs more quickly. This approach has increased the pressure Focus on Assets on IT departments. On the one hand, they need to Currently, the most common approach is to focus make information available for more users. On the on assets. This approach originates from a risk other hand, they need to keep this information management approach: secure and share it only with the appropriate individuals and organizations. In a Microsoft Windows environment, this means that the following tasks need to be performed on a So security matters, and any approach will have to regular basis: focus on two things:  Scanning machines for vulnerabilities, i.e. querying installed operating system patches  Availability: making sure that information is and installed software, querying NTFS and available for use. share right assignments, querying service  Confidentiality: making sure that only prop-erties, and running MBSA queries. authorized people can access it.  Taking counter measures for certain risks, i.e. installing patches, changing service parameters, changing NTFS and share rights assignments. These standard, frequently repeated tasks can be easily automated with a solution for IT run book automation for Windows, such as RES Automation Manager. RES Software and Security: v.1.0-9.30.10 Page 1 of 3 Realizing Asset Centric and User Centric Approaches to Security
  2. 2. Users are No Longer Bound to a Single Device Ensuring that information is accessible only to The question arises whether this asset-centric those who are authorized to access it is a approach that defines threats as external forces is challenging task in the current environment. If a enough. Does this approach ensure availability of user is not bound to one single workstation, it is no the service? In the current user environment, users longer possible to allow or disallow access based on no longer have their own desktop (asset) on which the workstation (asset). The asset-centric they use their services. In today’s IT world, a user approach, though important, is not sufficient. A can have a laptop or desktop for use at the office user-centric approach is needed as well, so that a during the day, and a desktop made available via user can get access to the services, but only after server-based computing for use from home or from the following checks: any other place outside the office. This results in new challenges for IT departments because the  Who is the user? This question is answered main focus is on ensuring availability of a user’s using authentication based on username services. and password.  Where is the user? This is important, Users want their services (applications plus their because where a user starts a service can settings) to be available, whatever the method of determine whether that service (such as delivery, and they want changes made in one the application plus its settings and environment to be reflected in all the others resources) should be available. automatically. This results in the next approach to  What time is it? Some services may have availability: the user-centric approach, which is scheduled maintenance windows during achieved through user workspace management. In which they are not available. this approach, all user settings are disconnected  Does the user have the necessary from the underlying application delivery solution, credentials? In some cases, you may want and are applied when a user starts an application. to base access to a service on additional This gives the user a unified workspace levels of authentication, because the independent of an application delivery solution. application contains too much sensitive information. New Challenges: Confidentiality Focusing on the availability of services to users, Besides the internal user, businesses are both in and outside the office, enhances user collaborating more with other companies. These productivity and business performance. collaborative initiatives will need to share information, and so they need to be supported by However, this approach does pose new challenges IT. The asset-oriented approach tries to make sure to the IT department, and these challenges need to that external threats don’t come in. This is not be addressed. A user now has access to the possible in a collaborative enterprise because company network from outside the office too, but people from other companies do need to get inside some services and their corresponding resources your network. But you only want to grant them should not be available from outside the office. access to the services they need. This requires a different approach— one that starts from the inside Once you have established the availability of a and works out, instead of the other way round. This service to a user, you need to make sure that this is what you deliver with a user-centric security service is only available for those who are approach. authorized. This is confidentiality, the focus of the next part of this whitepaper. You grant a user access to a service, namely the application with its settings. Based on this access, you can then grant the user access to related:  Files and folders  Local storage  Removable storage  Network resources Confidentiality RES Software and Security: v.1.0-9.30.10 Page 2 of 3 Realizing Asset Centric and User Centric Approaches to Security
  3. 3. Conclusion The ISO 17799 standard is related to information centric and user-centric. The asset-centric security. This standard defines information as an approach ensures that the infrastructure is asset that may exist in many forms, and that has available, and helps protect it against external value to an organization. The goal of information threats. But in the current versatile user security is to protect this asset suitably, so that environment, this approach by itself is not enough business continuity is ensured, business damage is to make services available to users. Because the minimized, and return on investments is user is working from multiple desktops both in and maximized. According to ISO 17799, information out of the corporate network, a user-centric security is characterized as the preservation of: approach is needed as well. Combining these  Integrity: safeguarding the accuracy and approaches will result in better availability, but, completeness of information and of even more importantly, will greatly improve the protection methods. confidentiality as described by ISO 17799. The user-  Availability: ensuring that authorized users centric security approach is delivered through user have access to information and associated workspace management. This gives the desired assets when required. availability of the services to end users, without  Confidentiality: ensuring that information compromising the necessary security policy. is accessible only to those authorized to have access. Together, the RES Software products RES Automation Manager and RES Workspace Manager As discussed in the previous paragraphs, there are deliver both the asset-centric and the user-centric two approaches in Information Security: asset- security approach. RES Software RES Software, the proven leader in dynamic desktop solutions, is driving a transformation in the way organizations manage, maintain and reduce the cost of their desktop infrastructure. The RES Software award- winning, patented products enable IT professionals to manage and deliver secure, personalized and compliant desktops independent of the underlying computing infrastructure – thin clients, virtual desktops, physical desktops, or server-based computing environments. The company empowers customers, from small to medium- sized businesses to global enterprises, to reduce desktop complexity and meet the essential needs of a dynamic workforce that requires on-demand access to their personalized workspaces. For more information, follow updates on Twitter @RESSoftware and visit RES Software and Security: v.1.0-9.30.10 Page 3 of 3 Realizing Asset Centric and User Centric Approaches to Security