The White List, the Black List, and the Grey List

by Amrit Williams

image of buttons being pressedMost organisations believe they have a fairly clear picture of how their network is configured and the devices attached to it. When it comes to identifying rogue assets, it's usually a matter of white or black. Whitelisted assets are clearly inventoried and actively managed by the company. Blacklisted assets can include virus-infected computers or machines that may pose no overt harm, but do not conform to the enterprise security dress code.

IT departments must now also deal with a third class of network assets, greylisted devices. Greylisted devices are usually brought into an organisation by employees and used to perform legitimate work. They often tend to be consumer products that users believe are faster, easier to use, and generally more advanced than standard equipment issued by the enterprise.

For many end users, it can be a painful experience to use a three-year-old computer when they believe that performance of currently available equipment has quadrupled since their office PCs purchase date. On the software side, users might ask why they should put up with stodgy email when they really want to exchange text messages. And if 70 percent of their hard disks are empty, why not fill that space with MP3 files or wedding photos?

Many IT managers would argue that managing greylisted assets is easy simply ban them from the infrastructure. But it's not that simple. End user claims of improved productivity might have an element of truth in them. Secondly, the cost of alienating younger workers may be too high. Finally, technology that end users bring with them is very often technology that their organisation doesn't have to buy. Like it or not, greylisted assets need to be factored into IT management programs.



Visibility a Prerequisite

Real-time visibility into assets, software and activities inside an infrastructure is the primary prerequisite for getting a handle on the greylisted assets problem. After all, how can you manage what you don't see?

Visibility must extend to greylisted assets' configurations and their actions on the network. It's not enough to know that a non-standard PC has just logged on. You also need to know what software the machine runs, and whether it is running any processes that could disrupt the infrastructure.



Managing Assets or Processes?

As IT managers have less control over the kinds of devices that play on their networks, the question becomes less about managing tangible assets and more about protecting information and controlling processes. This argues for a policy-driven approach to information security management that encompasses both conditions and actions. Policy can be an all-encompassing term that can specify conditions ('Our policy is that all Windows XP devices should have the latest Microsoft patches') or processes ('We forbid transfer of documents containing credit card numbers to USB drives.')

Policies also have the advantage of a preemptive bias rather than a reactive one. A policy is a higher-level description of a positive result that may be accomplished through a number of associated automated decisions about eligibility ('Does this PC really need this patch?') and execution ('If yes, load patch, restart machine, confirm configuration, report back.').



The Bottom Line

It's a cliché to say that the IT security threat environment is evolving faster and becoming more dangerous. With the proliferation of greylisted devices, IT infrastructure security and configuration management is also becoming more ambiguous. The issues are progressively moving away from questions of black and white to shades of grey. As this occurs, managers should focus on policy-based approaches to managing what happens to information rather than fending off individual threats to the integrity of hardware or software assets.



About the author
Amrit Williams is Chief Technical Officer at BigFix, Inc. The company will be exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. Find out more or book online at www.infosec.co.uk.



Send a comment about this article to editor@itwales.com.




Menu: Home, Services, Events, Features, Interviews, Profiles, Reviews, News, Resources, Press