• United States

How do you enforce security policies with consultants?

Mar 25, 20042 mins

* As work forces move away from the office, challenges ensue

We’ve written quite a bit lately about the security and connectivity challenges of an increasingly mobile and remote workforce. Last time, we mentioned that Zone Labs recently began shipping a “clientless” software product that enterprises can install in their data centers. The software will check that non-employees with some access rights to their networks (consultants and business partners, for example) are not posing a threat to their networks by using PCs infected by worms, viruses and Trojan horses.

It would also be useful if some of these products and services could allow more flexible policy enforcement by very large enterprises that use many part-time consultants and contractors. This would require buy-in by the enterprises themselves, of course.

Consider, for example, a consultant with five enterprise clients, which each require the consultant’s PC to run a policy-compliant software image. This requires the consultant to have potentially five different computers, possibly with five different anti-virus, personal firewall, intrusion detection and other applications to meet the requirements of each company.

Would it be possible, for example, for enterprises with large numbers of contractors to require that the contractors use certain versions of one of, perhaps, two or three leading security software packages? That way, for example, if I use Norton Antivirus software, and my clients permit access with current versions of Norton, McAfee, Network Associates, or Trend Micro software, I could potentially be in compliance with each company using a single product.

Zone Labs has made a start with its clientless solution, and has hinted that it might be doing more in this area. For now, says Zone Labs’ vice president of marketing Fred Felman, “The solution is to be less concerned about what must be running than what must not be running” – meaning infected or suspicious software.