Normalized Endpoint Computing

Research Team Results

PSU Technology SolutionMat B. & Alice S

Overview of Solution

• The main focus of the proposed solution will be the utilization of Altiris CMS and migration of user data from local hard drive to network storage.

• This solution will require the purchase of the Altiris CMS Suite (Additional Plug-ins) , WISE package studio, and storage space for data.

• Finally, portions of this solution may require policy to be drafted, which will be the responsibility of the Technology Task Force working in tandem with the Tiger Team.

CONOPS• Security– Antivirus - Symantec for antivirus definitions, updated through

Symantec Endpoint Update Server (SEPS). – Network Access Controls – NAC would be a highly

recommended element for the management of endpoint devices– Encrypted Transmission – Web connections as needed, force vpn

for secure applications and services– SW Updates – Altiris CMS includes the functionality for software

management including updates– Endpoint FW - built in operating system level firewall – PII Discovery – Identity Finder – HD/File Encryption – PGP (MAC), BitLocker (Windows 7)– Audit – Symantec CMS– Physical access – No mandated policy

CONOPS (Cont.)• Efficiency

– Inventory Management – Retrieved with Symantec CMS, centrally stored within SDE through a sync process

– Image Deployment – Symantec CMS– Policy Admin - Uniform active directory and extended group policies– SW Management – Symantec CMS paired with approval policies.– HW/Lifecycle Mgmt – Symantec CMS paired with Life Cycle

Policy – Desktop Management – Folder redirection, and roaming profiles.

Local sync when needed (Policy determines what data/type is backed up)

– Remote Machine Access – Symantec CMS Built in client– Training – Initial infrastructure change then as needed with little

variance from what is currently typical

CONOPS (Cont.)

• DR– Backup – Server based storage. Replicated and archived.

Paired with data retention and management policy• Development

– Root/admin access - Least privileged mode operation is recommended for all users. Development machines can be provisioned (virtually or physically) on a private network segment.

– Self service after hours support – Symantec CMS white-list, and SDE self service portal. Privilege elevation.

Key Policy Considerations

• Server data storage • Policy development and enforcement• Restructure of the entire IT infrastructure (Network,

endpoints, etc)• Heavy focus on security• Development and enforcement of new procedures• Analysis and approval of user type (Stationary, mobile)• Implementation and support of new type of devices

(mobile phones, tablets, etc.)

SWOT Analysis

• Strengths of the proposed solution:– Centralized management of all

aspects of the endpoint (User data, software, etc)

– Highly user-noticeable increase in level of OTS services, and decreased labor requirements

– Little-to-no change in user experience– Major cost savings with purchasing

less laptops then currently

• Opportunities to leverage– Existing infrastructure (AD,

Partnership with Symantec)

• Weaknesses of the proposed solution:– Will require mass migration and

labor to implement

• Threats to success of the solution: – Lack of policy and enforcement– Lack of cooperation throughout

the organization– Lack of funding

Known Gaps in the Solution

• Limited software updates/patches provided automatically by Altiris