FullArmor aims to keep policy fresh, consistent on endpoints

Policy-management vendor FullArmor Monday released software designed to extend policy enforcement to devices and machines that sporadically attach to a corporation’s network.

As more and more users begin to use policy to manage user access and privileges, those users are finding gaps in their policy enforcement. Full Armor’s Endpoint Policy Manager (EPM), which integrates with Active Directory and its Group Policy infrastructure, is targeted at closing those gaps so devices and computers coming into the network are subjected to the same policy controls as machines that are continuously connected.

“We found some dead spots where we don’t have any auditing or application of policy, whether it be no policy applied whatsoever, or the policy is applied once and not updated,” said a global IT manager for a pharmaceutical company who asked that his name and the name of the company not be revealed. The manager said policy enforcement is essential for the 100,000 devices on his network given heavy regulations in the pharmaceutical industry.

“We don’t want to take any chances. We need to be assured that policies are in place. One small slip could ultimately mean $30 million in lost revenue,” the manager says.

The manager says his evaluation of EPM includes interrogating devices as they come on the network to make sure policies are applied. If policies are absent, EPM applies the policies. If the policies are applied to guest machines, the software removes the policies from those machines before they log out.

The manager says he is also testing network access-control software, including Microsoft’s Network Access Protection slated to ship with Longhorn Server and Cisco’s Network Access Control software, but that something needs to be in place immediately.

FullArmor’s EPM works with remote desktops, laptops, mobile devices, and point-of-sale terminals. Policies are set based on a user’s role and/or state. For example, an authorized guest machine logging onto the network might find policy settings but no user settings, while an authorized user connecting via a Windows Mobile device might get user policies but not device policies.

The software’s auditing and reporting capabilities lets users search and correlate policy setting across all machines, verify that correct policies were applied and review exceptions.

“What we are saying is that if you have already built a policy infrastructure, then let's make sure these things are consistently applied,” says Matt Dircks, president of FullArmor. “And make sure that it does not decay when users go outside the network.”

EPM ships with all the components it needs to run, including Windows Server 2003, SQL Server and virtual machine capabilities. The components will run on a VMware virtual machine or on the Windows platform. EPM does not run on Microsoft’s virtual machine technology.

Endpoint Policy Manager pricing starts at $20 per user or managed endpoint.