Wednesday, March 7, 2007

Accept Additional Risk: Cancel or Allow?

At my current place of employment, there has been a push to (and a push back against) adopt Mac OS X as a supported platform. Apparently Mac's are no longer just for indie musicians and graphic designers. In addition to graphic designers, we have programmers and UNIX admins and other random hipsters interested in toting around a new MacBook.

I recently discussed this issue in depth with my boss, the CISO. He worked with the desktop guys during the XP roll-out to reduce local admins, implement group policy security measures, turn off services, and basically harden the desktop image to where it is fairly resilient. The concerns about Mac's are that they still lack the spiffy security policy lockdown stuff that XP has and that they are now very much on the list of platforms actively being analyzed for vulnerabilities. The whole x86 CPU (and therefore x86 shellcode) thing doesn't help, either.

Once you separate this issue from the nerd jihad, Mac OS X isn't so bad. In fact, a little bit of additional work, some means of centralized software management and an AV client is enough to bring it into alignment with the XP machines and make it a reasonably low risk venture. The TCO/ROI and in-house support stuff is someone else's problem.

After stopping to think about what it takes to bring a new OS into the security fold, it's not Mac's that worry me. It's Windows Mobile on phones. Single-user OS, barely-there authentication, and when it's in a cradle and the EVDO data link is up, it's a potential back door into your network around your firewall and IDS.

Damn. Cuz I don't care what you say, the Treo 700 is way more nerdtastic than a 17" MacBook.

No comments: