This is the third part in our Zero Trust blog series. In the first part, I viewed the Zero Trust principle as a whole, and explained the common terminology regarding Zero Trust. The next one was about the principle of least privileged access, and how our product Centero Carillon helps in implementing it. Here I’d like to share how Centero Software Manager can be helpful when Zero Trust model is fitted for use in your organization.
A controlled environment or a slapdash array of applications?
To better understand the big picture, let’s use the previous blog post as a stepping stone. If end users have local admin rights, then it’s game over time. The users can install any applications they wish on their endpoint devices. Each one of those applications can cause extra work for IT support. On top of that, the applications are constantly updated and vulnerabilities are published.
According to our statistics, for example Adobe Reader, Adobe Flash, Google Chrome, and Mozilla Firefox were updated in total 79 times during 2019. Those are very popular applications, so it is completely justified to presume there are several updates every month in a common organization. When anyone is able to install new applications, the amount of updates starts to multiply.
This is exactly the reason there are lots of patch management solutions on the market. Centero Software Manager is one of those, but our goal is to make the progress more controlled. Uncontrolled environments accumulate uncontrolled applications more and more, all the time. That is why organizations often want a solution that can for example update over a hundred third-party Windows applications.
My own experience tells me that even a large organization can get by on a quite moderate amount of applications when the environment is controlled and locked down. When the application inventory is not under control, application updating is completely reactive, almost without exception.
This also means that an update-controlling application is monitoring the vulnerabilities in the inventory. When a vulnerability is detected, the application is updated in a defined way. Operating this way, there are probably un-updated applications in the mix, not detected or simply without current updates.
In the Zero Trust model, never trusting and always verifying is the key. An uncontrolled environment is completely at odds with this. In an ideal situation, an organization offers all the applications its end users need, in a controlled manner. Application lifecycle management and data security is effortless. Centero Software Manager is at its very best when the workstation environment is under control.
CSM and AppLocker
To sum it up, a controlled workstation environment is the precondition to Zero Trust. Controlling application updates and applying the principle of least privileged access pave the way for a functional and safe endpoint environment. Application control with Microsoft AppLocker is a superb addition to the whole.
AppLocker works the best precisely when allow-listing types of rules are used, thus only certain applications and folders are allowed. Sami Laiho wrote in 4Sysops blog how AppLocker should really be implemented. According to Laiho, allow-listing (also called whitelisting) is the only reasonable way to use AppLocker.
When trusted locations of the operating system are also allowed, everything is instantly much easier. The third main point Laiho makes is that end users should not have local admin rights, as they can be used to bypass AppLocker.
CSM is the extra player on the field
Patch Management is a completely different thing than application lifecycle management. CSM helps in application installing, updating, removing, testing, and functionality, to say the least. We also test the functionality each time a new version or a new application is introduced in the service. All in all, CSM product family has a strong emphasis on adapting the application scheduling and controlling processes on the go.
On top of that, we aim to tailor the applications to enterprise-ready packages, removing extraneous features and automated updating. Completely controlled update processes are therefore available for all organizations.
Did this tickle your interest in Centero Software Manager?
Sign up for a free one-month trial here »