Macs in the enterprise: The security conundrum

Guest editorial by Andrew Storms

Managing IT for a software company has its challenges.  For me, the lines between efficiency, security and innovation are difficult to draw at a company like nCircle where engineers require some freedom to perform their best.  The panelists at a recent RSA Conference session "Responding to the ignored threat - Macs in the Enterprise" seemed to face the same kind of problems I do.

Based on the war wounds of the speakers, enterprises continue to find challenges when they try to bring Apple products into their security fold.

Each of the enterprises has the usual defined security policies and on a daily basis they weigh the risks associated with "grey" areas against the productivity of their users.  The session's hot topic was the largely ignored impact of Apple products on security practitioners working hard to reduce enterprise risk.

At Universities, the Mac population has been on a significant increase and nearly 50% of all users, students and facility, use Macs.  In addition to the Mac, nearly all users either have or want an iPhone. Both these devices make enterprise security problems more daunting. Try telling your new employee he can't have his favorite productivity tools because of security issues.

The panelists -- John Dasher, Jon Allen, Jeff Gamet and Stanton Gatewood -- each discussed their current environments along with the trends and challenges they face with the Mac, and with all end points.  A common opinion among the speakers was that the ease of use built into all modern computers, and especially Macs, have made users less knowledgeable and this is a bad thing for security.  A naïve user is more likely to fall victim to attacks like phishing.  A naïve user, with a burning desire for Apple products with their inherent lack of centralized management tools spells trouble.

Panelists offered a number of suggestions for tackling these issues.  At Baylor, they are actively working hard to deploy Open Directory so that IT security can set basic end point security policies like screen saver passwords and control over patching cycles.  At the University of Georgia, the security team has put a significant emphasis on training.  This teams holds brown bag sessions monthly, sends out newsletters and other communication tools help them increase awareness and reduce overall risk.

Sadly, it was evident from the discussion that Apple's continued reluctance to provide enterprise security tools is still causing heartburn for security professionals.  Apple has yet to deliver anything on par with the policy systems Microsoft has built into Active Directory.

* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.