A small, fast-growing medical staffing company in Irving, Texas, has been learning as it goes about how to create and enforce secure computing for its traveling account managers.
Moving cautiously, Martin, Fletcher & Associates, has extended features of the corporate security architecture to mobile laptops, coupled with deploying a range of products to protect the data on about 60 laptops and their access to the corporate net.
The company limits the data on the laptops, enforces security policies on them, creates a range of tailored access permissions via Windows Active Directory and Group Policies, and uses a VPN for remote connections.
“The security we were able to put in place allowed us to move into a mobile workforce,” says Fabi Gower, vice president of information systems for Martin, Fletcher. “We wouldn’t even consider it until then.”
Founded in 1999, Martin, Fletcher contracts with hospitals and other healthcare clients to fill a range of staffing needs. The firm has grown from five to 150 employees. About 60 of them are account managers who are constantly on the road meeting with customers. But it was only two years ago that Martin, Fletcher felt it had the pieces in place to give those managers laptops and network access.
In the corporate LAN, Microsoft Windows Server 2003, with Active Directory, provides the backbone for username/password management, group security policies and permissions. The latest operating system features let the IS staff assign specific groups permissions (read, write, delete, add and so on) for specific folders or even documents. A firewall with VPN from WatchGuard Technologies rounds out the basic net architecture.
About four years ago, the top executives decided they wanted to control data transfers and unauthorized software programs. “Today [with USB devices] that covers a very broad category of things,” Gower says. “Even some printers nowadays can be considered storage devices.”
Eventually, Gower found Sanctuary Device Control, a software program from SecureWave. The client/server software installs securely on desktop and laptop PCs. With it, the IS staff has highly detailed control over the PCs’ interfaces and peripherals. “We have complete control over any device that’s plugged into our network,” she says.
Policies for users are set via a central console, which can draw on user information from Active Directory. Gower can disallow the use of CD-ROM drives for all users, or allow them to play music CDs only. On request, an IS staffer can remotely unlock a specific CD-ROM drive for a stipulated time period, so an account manager can download and run a marketing video. At the appointed time, Device Control will lock the drive again. The mobile account managers may be granted certain permissions during the workday not allowed to desktop users, or vice versa.
Over time, the IT staff works with users to refine appropriate-use policies that Device Control enforces.
The laptops are equipped with wireless LAN adapters, and the company subscribes to T-Mobile’s Wi-Fi hot-spots service. The account managers can wirelessly connect at T-Mobile hotspots at Starbucks or airports, the VPN client authenticates them and they can access the corporate LAN.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment