Feeds

Promisec Endpoint Manager: So we gotta cope with BYOD... Help!

Don't shy away from grappling your users' wonky endpoints

Maximizing your infrastructure through virtualization

Review The explosion of internet-connected gadgets, sensors and other devices that underpins the "internet of things" concept makes my head hurt.

When combined with the completely new security model presented by IPv6, BYOD and cloud computing, automation of endpoint management is rapidly becoming non-optional.

I've started taking a look at some of the vendors in this space and Promisec Endpoint Manager (PEM) has jumped out at me as an interesting case.

Earlier this year I looked at over 100 endpoint management companies and then bashed together a quick overview of what the space looked like. There was not nearly enough space (or time) to report on them all, but the crux of the issue shone through: there's an endpoint management company for just about any combination or configuration of endpoints you could possibly want.

In my experience, most endpoint management companies are obsessed with getting as many different OSes as possible integrated into their application. Promisec differs in that it is not busy spamming OS support for everything under the sun - it supports Windows and Unix/Linux.

Promisec's approach to mobile devices is to identify them for you and say: "this widget is Android, this one is iOS." From there you can manage it with your preferred application for that device type. Promisec is content to take it a little slower and try to get everything right with one OS at a time before adding support for more.

How to judge this? On the one hand, Promisec comes out looking to some like a company that isn't keeping up with the rest of the industry. On the other, the majority of the endpoint management industry flails around like headless chickens spewing buzzwords but failing to inspire confidence.

Managing endpoints is big business, in no small part because your network is done for if you screw it up. Given this, I respect the company that chooses to do one thing well rather than try to be all things to all people.

How PEM works

To make the thing go the system installs a "sentry" onto one of your sites. They can be installed on any Windows system (including virtualized machines). The “sentry” gathers info and acts on what it discovers. This approach – called by various names such as agent, sentry or observer, depending on the company involved – is pretty typical of the endpoint management space; the biggest caveat being that you need one agent per subnet.

This means that there is nothing installed onto the endpoint you're going to manage. It scans your network using a variety of protocols in a manner that reminds me of LANguard sweeps, although Promisec is continuous and uses a different inspection methodology.

PEM manages more than just the OS; it also uses multiple APIs to scan for apps and it performs Network Access Protection (NAP)-like checks on the devices it uncovers. Is the OS joined to the domain? Is a given patch/app installed? Is a required service up? Make it so!

There is a white-list baseline service. Point the application at a "known good" system and pull a list of startup items, running processes, services, apps, etc. From there you can use that baseline to hunt non-compliant items on the network and kill them. Part of this is a Secunia-PSI-like update tracker that finds updates for third-party apps (such as Java) and gets them updated.

PEM has the ability to lock out unauthorized hardware (USB, CD-ROM, etc.) and otherwise carries the endpoint management items you would expect to see. I am intrigued about how Promisec has combined these abilities together into a policy compliance engine.

PEM has "policy scanners" that check for things like CIS, NIST, PCI compliance and so forth. It will scan GPOs, Active Directory, etc. to make sure it all complies. You simply select a policy that you need to comply with, run the scan and it tells you what you need to fix.

The rah-rah selling feature of the whole thing is "right click remediation." Install the patch, app, start service, and so on, all from a single context menu in the management application. Combine this with the policy scanner idea and I like what's on the table here.

There's a place for this

I use a combined manager for my own network, and my weapon of choice is Mmsoft's PC Monitor. This is good enough for the needs of my three-person company and – most importantly, given my recently validated privacy paranoia – Mmsoft is Irish, not American. Though my current choice of provider is different, I can see a place for Promisec's PEM in the larger networks I manage.

I find myself constantly running into the issue of ignoring the desktops and even my servers. They feel old and comfortable. I know those computers. The operating systems and the applications that run on them fit like an old glove. Comfort leads to contempt and in the IT industry that is very dangerous.

I may well know my operating systems, applications and systems inside and out. The problem is that so does everyone else. The threat model I have to defend against is constantly evolving. My network isn't.

I'm up to my ears in planning for the next generation of server upgrades or trying to figure out what to do about BYOD, mobiles, cloud computing and the rest. In this environment, something like Promisec's PEM is a good thing. It keeps an eye on the old guard for me while I try figure out what to do about the rest of the stuff out there.

If nothing else, the sheer diversity of endpoint management products is worth debate. What is your take, dear Register readers? Leave your thoughts in the comments. ®

The Power of One eBook: Top reasons to choose HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
The triumph of VVOL: Everyone's jumping into bed with VMware
'Bandwagon'? Yes, we're on it and so what, say big dogs
Carbon tax repeal won't see data centre operators cut prices
Rackspace says electricity isn't a major cost, Equinix promises 'no levy'
Disaster Recovery upstart joins DR 'as a service' gang
Quorum joins the aaS crowd with DRaaS offering
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.