Guest editorial by Andrew Storms
Based on the war wounds of the speakers, enterprises continue to find challenges when they try to bring Apple products into their security fold.
Each of the enterprises has the usual defined security policies and on a daily basis they weigh the risks associated with "grey" areas against the productivity of their users. The session's hot topic was the largely ignored impact of Apple products on security practitioners working hard to reduce enterprise risk.
The panelists -- John Dasher, Jon Allen, Jeff Gamet and Stanton Gatewood -- each discussed their current environments along with the trends and challenges they face with the Mac, and with all end points. A common opinion among the speakers was that the ease of use built into all modern computers, and especially Macs, have made users less knowledgeable and this is a bad thing for security. A naïve user is more likely to fall victim to attacks like phishing. A naïve user, with a burning desire for Apple products with their inherent lack of centralized management tools spells trouble.
Panelists offered a number of suggestions for tackling these issues. At Baylor, they are actively working hard to deploy Open Directory so that IT security can set basic end point security policies like screen saver passwords and control over patching cycles. At the University of Georgia, the security team has put a significant emphasis on training. This teams holds brown bag sessions monthly, sends out newsletters and other communication tools help them increase awareness and reduce overall risk.
Sadly, it was evident from the discussion that Apple's continued reluctance to provide enterprise security tools is still causing heartburn for security professionals. Apple has yet to deliver anything on par with the policy systems Microsoft has built into Active Directory.
* Andrew Storms is nCircle’s Director of Security Operations. He is responsible for the definition and enforcement of the company’s security compliance programs as well as overseeing day-to-day operations for the Information Technology department.