IT Compliance Advisor welcomes our new blogger, Frank Ohlhorst:
Meeting the needs of compliance regulations effectively means that IT staffers must be able to monitor and report on any activity traversing the network. Luckily for many Microsoft shops, the compliance beast has been tamed with the help of Microsoft’s Active Directory (AD), which can be extended to store many of the data elements associated with compliance requests.
What’s more, dozens if not hundreds of compliance tools that integrate with AD are readily available on the market. While that is good news for Microsoft Windows administrators, it is bad news for those looking to innovate. Simply put, AD plus compliance kills innovation.
How can this be? It’s simple: Many administrators are using compliance as an excuse to not deploy alternate capabilities. For example, take a moderately sized organization that wants to add a dozen Macs to the network to support the art department. The request goes in, and is immediately shot down because of a compliance issue — namely, the inability to apply policies to the Mac systems and report on activity, configuration and so on.
Pretty much the same thing can be said about Linux. Organizations looking to save bucks and deploy Linux are finding that compliance has become a powerful tool to prevent a deployment. Nowhere is this more true than on Windows Server networks using Active Directory.
The basic argument goes like this: “We can’t deploy the new desktop OS, because we are unable to monitor logons, apply policies, audit and report on compliance.” So, does that mean it must be the end for non-Windows systems being attached to the network? Well, not exactly. AD proves to be extensible, allowing new leaf objects and data elements to be added. It does take a bit more than modifying AD however, to handle compliance for non-Windows systems. In fact, it will take thinking outside of the Windows box.
Lets look a little more closely at the problem. For a desktop PC to be compliant under the rules of PCI, SOX and HIPAA, you will need to do a few things. At the top of that to-do list is authentication. You will need a way to maintain logon security, regardless of whether it has a local connection or not. Next on the list is applying policies to the system, policies that enforce rules about access and the types of data available. After that, you will need methods to inventory, monitor and report on the system. Finally, you will need to audit the system, which includes looking at usage and history over a period of time.
Miss any of these elements, and you will not be compliant. AD proves to be the perfect tool for backing compliance, and those leveraging AD will never want to see a non-Windows system on their networks. Where does that leave those non-Windows systems? Unfortunately, out in the cold.
But it doesn’t have to be that way. There is a solution to the problem, and we can once again thank Active Directory. There are a few products on the market that bring AD-based authentication to Linux, Unix and Macintosh systems, solving one of the biggest security issues of those systems (under the eyes of compliance). This is a good start.
However, authentication is only part of the puzzle. You will also need to enable policy enforcement and implement change management. In some instances, some of those same products will provide the answer. Finally, you will need to audit and report on those systems, and that is where a third-party product really pulls its weight.
So the moral of the story is to not let IT staffers pooh-pooh the possibility of integrating Linux, Unix and Mac into the enterprise, and begin to research products such as LikeWise Enterprise, Quest Authentication Services and Centrify’s DirectControl. Currently, Likewise Enterprise appears to have all the bells and whistles anyone could need and includes compliance reporting built right into the product.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology publications, including Computerworld, TechTarget, PCWorld, ExtremeTech and Tom’s Hardware, and business publications including Entrepreneur and BNET. Ohlhorst was also executive technology editor at eWEEK and director of CRN Test Center.