Device Control – An Often-Overlooked Technology
When it comes to IT security, Ivanti strongly supports the defense-in-depth strategy by providing products that underpin the Center for Internet Security (CIS) basic controls. The first and second CIS basic controls are 1) Inventory and Control of Hardware Assets, and 2) Inventory and Control of Software Assets. Device control provides direct enforcement of these controls yet is often overshadowed by patch and application control technologies.
A Quick Look at This Often-Overlooked Technology
Basic device control typically provides management of physical components that can be connected to a workstation, server, or mobile system such as a laptop. An agent is usually installed on the system that can then detect and inventory the currently installed hardware and monitor when other devices are attached.
Of prime concern are USB drives on which sensitive data can be copied and removed from a facility, often without a trace. Device control can be configured to block the attachment of these devices completely or can allow control over these devices by tracking at the vendor, model, or even serial number level. For example, you could allow SanDisk Model xy12 USB devices in your organization but disable use of all others. This would prevent the user from inserting an unknown USB device that may come with pre-installed malware.
We’ve seen cases where companies are blocking many types of devices that come with added risks—smart keyboards with data storage capability, Bluetooth transmitters, additional network cards, and so forth. The flexibility of device control to meet your needs in this capacity is almost endless for this mature technology.
Beyond Physical Device Management
There are additional aspects of device control to consider as the term ‘device control’ is often simply construed as management of physical devices only. Ivanti device control includes not only physical control, but encryption of data and monitoring/control of data from a perspective of data loss prevention (DLP).
The base operating system can be enabled to provide encryption of system disks, which provides laptops with an added level of security in case of theft. However, this encryption does not often extend to removable drives. Device control can provide this added protection, encrypting removable drives so they can be used on other machines with password authentication, or even locking them down further where they can only be used on machines with the device control agent.
Device control can also monitor the volume of data traffic to devices as well as the type of data. In the former case, limits can be set on the amount of data a machine or person can copy to removable media. Likewise, the device control agent can monitor and log the names and types of the files being used. File shadowing is an extension of this option, where copies of the entire file are sent to secondary storage for review. Key word searches can also be performed by device control agents looking within the files themselves as they are copied and then taking appropriate action based on the pre-established policy. As you can see, Ivanti device control is much more than just blocking USB devices.
Device Control Implementation
Device control implementation is a straightforward, logical process. The device control agents are installed across the desired set of endpoints and are first set to capture device usage. This information is collected as log activity and sent back to a central console for analysis. The administrator reviews the devices that are in use and constructs a policy based on company needs.
As covered throughout this blog, this policy can address the physical, encryption, and DLP aspects of security, and can be as simple or as complex as needed. Once the policy is established, it can be pushed out to the endpoints and they are placed in audit mode. Best practices dictate a subset of systems should be chosen as the sample test group. Audit mode will show how the policy performs identifying what is blocked and what is allowed. This is very similar in concept to how application control is typically rolled out. At this point, the policy can be updated or ‘fine-tuned’ and placed into enforcement mode. After a period of time and with sufficient positive feedback, the policy can be deployed to a larger group of systems. Again, you can implement at your own pace and ensure your security objectives are being met.
Device control provides a detailed hardware inventory, a strong degree of control over the use of these devices, and also control over the copying and storage of data on these devices. While not directly controlling your software assets, it does provide insight into what software assets are in use. Device control is not difficult to implement and can provide protection in an area frequently overlooked area when all the attention is on network-based attacks.
Consider device control as you build out your security program; it provides a valuable technology and added layer in the defense in depth strategy. Take a few minutes to learn more about proven device control technology from Ivanti.
Product manager for Ivanti’s patch-related products, including Patch for Windows, Patch for SCCM, and our OEM patch engines, Todd Schell has also worked in computer security as an officer in the United States Air Force.