A growing number of users are mobile. While I’ve heard some people say these people will VPN and thus get security updates, I think that many of them don’t VPN in. They can do so much over on their phone, connect to mail over ISA, perhaps they are using a customers mailbox. Some are at customer’s sites and not allowed to VPN out. Others might be travelling and just not have the time. What happens to the security of these computers?
One of the things I found with NAC was an ability to see what was unpatched on my network. Problem is the NAC only works if the computer is on the network. Even if I was using a software NAC agent such as the one in Symantec Endpoint Protection, that provides enforcement only. It can’t report back to my management server inside my firewall.
As a Microsoft SCCM user, I looked at their configuration options to allow internet based computers to connect to a computer. It seemed expensive, complicated and hard to implement. Native mode requires digital certificates. Our security policy would result in a duplicate SCCM environment on a border network.
I looked at Bigfix, but its seems they would require an inbound connection from the boundary server. That violates our company policy, so I had to keep looking.
I wondered if Microsoft DirectAccess would solve this issue. IPv6, and digital certificate requirements make this one a bit scary. An always-up VPN into our network is a bit scary as well.
That’s when I received a cold call from Fiberlink a company that offers MAAS360 a product for mobile computer management, reporting, and patching from the cloud. I’m interested in using SaaS where it can be done securely and will save money. I signed up for an evaluation. Even with only a few computers installed, I can see some nice reporting capabilities. As we get a bit further in the evaluation, I”m going to see if this can solve problems also by deploying patches detected as missing.