|
A small, fast-growing medical staffing company in Irving, Texas, has been learning as it goes about how to create and enforce secure computing for its traveling account managers. Moving cautiously, Martin, Fletcher & Associates, has extended features of the corporate security architecture to mobile laptops, coupled with deploying a range of products to protect the data on about 60 laptops and their access to the corporate net.
The company limits the data on the laptops, enforces security policies on them, creates a range of tailored access permissions via Windows Active Directory and Group Policies, and uses a VPN for remote connections. “The security we were able to put in place allowed us to move into a mobile workforce,” says Fabi Gower, vice president of information systems for Martin, Fletcher. “We wouldn’t even consider it until then.”
Founded in 1999, Martin, Fletcher contracts with hospitals and other healthcare clients to fill a range of staffing needs. The firm has grown from five to 150 employees. About 60 of them are account managers who are constantly on the road meeting with customers. But it was only two years ago that Martin, Fletcher felt it had the pieces in place to give those managers laptops and network access.
In the corporate LAN, Microsoft Windows Server 2003, with Active Directory, provides the backbone for username/password management, group security policies and permissions. The latest operating system features let the IS staff assign specific groups permissions (read, write, delete, add and so on) for specific folders or even documents. A firewall with VPN from WatchGuard Technologies rounds out the basic net architecture.
About four years ago, the top executives decided they wanted to control data transfers and unauthorized software programs. “Today [with USB devices] that covers a very broad category of things,” Gower says. “Even some printers nowadays can be considered storage devices.”
Eventually, Gower found Sanctuary Device Control, a software program from SecureWave. The client/server software installs securely on desktop and laptop PCs. With it, the IS staff has highly detailed control over the PCs’ interfaces and peripherals. “We have complete control over any device that’s plugged into our network,” she says.
Policies for users are set via a central console, which can draw on user information from Active Directory. Gower can disallow the use of CD-ROM drives for all users, or allow them to play music CDs only. On request, an IS staffer can remotely unlock a specific CD-ROM drive for a stipulated time period, so an account manager can download and run a marketing video. At the appointed time, Device Control will lock the drive again. The mobile account managers may be granted certain permissions during the workday not allowed to desktop users, or vice versa.
Over time, the IT staff works with users to refine appropriate-use policies that Device Control enforces.
The laptops are equipped with wireless LAN adapters, and the company subscribes to T-Mobile’s Wi-Fi hot-spots service. The account managers can wirelessly connect at T-Mobile hotspots at Starbucks or airports, the VPN client authenticates them and they can access the corporate LAN.
Martin, Fletcher doesn’t overlook the most basic security features. “We provide [laptop] locks and keys to our users in case they leave the laptop in their hotel room,” Gower says.
Mobile users access e-mail via the Outlook Web Access, to the company’s Exchange 2003 Server. Similarly, they can now access a recently deployed Web-based CRM application designed for staffing companies called PCRecruiter from Main Sequence Technologies.
Handheld devices, including PDAs or smart phones, such as the Treo, are starting to create more demand for real-time data access. For these few users, Gower synchronizes e-mail between the Exchange Server and the sync server at Verizon Wireless, the company’s cellular carrier. Verizon then pushes e-mail to the Treo. But so far, this class of mobile device doesn’t have access to the corporate net.
Working closely with users is the essential ingredient in making all these pieces fit together in a way that makes users productive while keeping them, and their data, secure, Gower says. “I work to find [security] products that are the least offensive to our workforce,” she says. “I’m not a policeman: my job is to make their job easier.”
Often, users run up against security constraints because of ignorance, and Gower patiently explains that this is a key part of improving security. “Often, all that’s needed is an explanation, telling them what they didn’t know,” she says. “Like, ‘when you download a game from the Internet, you can download all kinds of spyware or viruses.’ And they say, ‘Oh, thanks: I didn’t know that.’”
|
