FullArmor aims to provide continuous policy enforcement across endpoints

My friends at FullArmor recently announced a product that takes existing security policies which have been created and enforced by Active Directory inside the network, and makes them portable, enforceable and auditable when the endpoints are outside the reach of the directory. The new Endpoint Policy Manager (EPM) makes continuous policy enforcement possible in a mobile and network-disconnected world, a world that – more and more – dominates the landscape we have to manage.

Marc Gendron must be the Sherlock Holmes of PR practitioners because he managed to track me down while I was on vacation to let me know about the new release. He wanted me to know that, “With the explosive growth of road warriors, telecommuters, temporary workers, and mobile users, it is virtually impossible for organizations to ensure that endpoint devices are secure and compliant. FullArmor EPM enforces consistent policy settings on endpoints whether they are connected or disconnected from an enterprise's Active Directory. This capability enables organizations to use their existing Group Policy infrastructure to intelligently enforce endpoint policy settings as devices drift in and out of the network. To prevent security policy ‘decay’, FullArmor EPM automatically corrects out-of-compliance settings when they are inadvertently changed. In addition, FullArmor EPM limits quarantine and remediation events in NAP and NAC environments [i.e., Microsoft’s Network Access Protection and Cisco's Network Admission Control] by keeping endpoint configurations locked-down.” (Seriously, that’s how PR people talk.)

But EPM is a very good addition to your authentication and authorization structure because it allows you to take the context of authentication into account when granting authorization to a user. Typical scenarios might include:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

My friends at FullArmor recently announced a product that takes existing security policies which have been created and enforced by Active Directory inside the network, and makes them portable, enforceable and auditable when the endpoints are outside the reach of the directory. The new Endpoint Policy Manager (EPM) makes continuous policy enforcement possible in a mobile and network-disconnected world, a world that – more and more – dominates the landscape we have to manage.

Marc Gendron must be the Sherlock Holmes of PR practitioners because he managed to track me down while I was on vacation to let me know about the new release. He wanted me to know that, “With the explosive growth of road warriors, telecommuters, temporary workers, and mobile users, it is virtually impossible for organizations to ensure that endpoint devices are secure and compliant. FullArmor EPM enforces consistent policy settings on endpoints whether they are connected or disconnected from an enterprise's Active Directory. This capability enables organizations to use their existing Group Policy infrastructure to intelligently enforce endpoint policy settings as devices drift in and out of the network. To prevent security policy ‘decay’, FullArmor EPM automatically corrects out-of-compliance settings when they are inadvertently changed. In addition, FullArmor EPM limits quarantine and remediation events in NAP and NAC environments [i.e., Microsoft’s Network Access Protection and Cisco's Network Admission Control] by keeping endpoint configurations locked-down.” (Seriously, that’s how PR people talk.)

But EPM is a very good addition to your authentication and authorization structure because it allows you to take the context of authentication into account when granting authorization to a user. Typical scenarios might include:

* An authorized guest machine logging onto the network could only receive device policy settings, not user settings.

* An authorized user authenticating to the network from an unmanaged device (home computer, Internet kiosk, etc.) could be subject to stricter policy settings.

* An authorized user connecting to the network via a Windows Mobile device could receive user policies, but not device policy.

But I’m sure you can think of many others.

FullArmor EPM also maintains a comprehensive audit trail of applied security settings to automate compliance reporting for those subject to regulations such as GLBA, HIPAA, FISMA, or PCI (you know who you are!).

Unlike Microsoft’s native Group Policy reports (which only query one machine at a time and report on expected - not actual - policy settings), FullArmor EPM pulls and compares data from three sources to conclusively report on security policy compliance: 1) Expected policy supplied by the device; 2) Expected policy supplied by the directory; and 3) Actual policy settings supplied by the device registry. Your audit log thus contains exactly what security was applied – and why!

There’s a lot more to Endpoint Policy Manager, of course. Click here for all the details and also check out John Fontana’s story in Network World for a customer perspective.

Read more about security in Network World's Security section.