Securing Users in Hybrid Mac-PC Environments
Windows tends to be the dominant operating system in most government agencies, but with the release of Mac OS 10.6 (Snow Leopard) and its seamless integration with Windows networks and Microsoft’s Exchange server for e-mail and calendaring, Macs are becoming much more commonplace.
In fact, Yankee Group research has found that nearly 80 percent of IT environments have some level of Mac presence. If you don’t yet have Macs in your company, chances are you will before long. Such a choice might be great for users. But if you’re part of an IT security team well-versed in securing Windows, how can you ensure that introducing Macs doesn’t introduce a host of new security problems?
One of the selling points of Macs is that they have fewer security problems than Windows machines, and although that point is arguable as a general rule, it’s true that more threats target Windows computers. That doesn’t mean Macs are foolproof, and as their use increases, so will viruses and malware that target them.
Macs also have a bit of a hidden danger: Because so many Mac users assume they’re immune to viruses and malware, they often choose not to run security software. That makes Macs an attractive target for hackers, particularly as an attack vector in an environment with both Windows and Mac computers.
In a hybrid environment where network resources and documents are constantly shared and exchanged between PC and Mac platforms, security is more important than ever. Thankfully, with the right combination of hardware, software and good old-fashioned IT policies and user education, you can keep both Macs and PCs on your network safe and secure.
Start at the Edge
These days, attacks and security threats come at your network from countless sources — and in all shapes and sizes. Because it’s a tall order for even full-time security experts to keep up with the bad guys, it’s crucial to put Internet and e-mail security appliances on the front lines of your network.
These network appliances are relatively inexpensive. They’re easy to install and integrate into your environment, and they’re constantly updated in response to the latest threats. This makes them a simple and powerful first line of defense. Blocking malicious e-mail attachments and limiting potentially dangerous Internet traffic at the network level, rather than relying on desktop software, means many threats can be eliminated before they even reach a user’s machine.
Network security appliances also help eliminate any chance of a file containing a virus targeting Windows, for example, to successfully make it to a Mac, only to be transferred to a Windows machine later. Granted, the Windows machine should be running an antivirus and antimalware application, but it’s best that a potential threat doesn’t even get that far into your network.
All Machines Are Created Equal
Macs and PCs are certainly different, but in terms of security, you need to treat them equally. Even if Mac users argue otherwise, operate under the assumption that Macs have all the potential security problems of Windows machines. This way, you won’t be caught off guard when the first big Mac exploit hits the Internet, and you won’t be lulled into a false sense of security by a virus- and malware-free legacy.
In a practical sense, this means all users must run the latest antivirus and antimalware software for their platform. This is vital in a hybrid environment because even if a PDF or Word document doesn’t target one platform, it may target the other, so a dormant threat on one machine may become active on the next. Luckily, Kaspersky Lab, McAfee, Symantec and Trend Micro all offer security software for both Mac and Windows platforms. Running the same software on both ensures a level of homogeneity in an otherwise heterogeneous world.
Also, make sure that your users are aware of the importance of applying the latest patches for their operating systems, and enforce OS update policies. As a general rule, it’s best to apply OS patches immediately as they become available. Unless your organization has a specific reason not to do so, enabling automatic OS updates on all machines keeps things as secure as they can be at the OS level.
Add a Mac Server to Your Network
If you’re concerned about having Mac clients in your environment in the first place, adding a Mac server to the mix may seem counterintuitive. But Mac servers offer a number of benefits and can make managing a hybrid environment easier.
Windows security teams are accustomed to leveraging Windows servers to push policies and updates to all Windows clients on the network. Windows servers obviously can’t perform this same task on Mac clients, but a Mac server can. By adding a Mac server to your network, you can manage your Mac clients much more easily and push updates and policies to Mac clients just as you do with Windows.
Ultimately, Security Tends to Be a People Problem
All the hardware and software in the world isn’t going to protect you from every threat. Even with adequate protections in place, there is no substitute for clearly written IT policies and user education. In many cases, a problem can start inside your network when one of your users unintentionally unleashes some bit of nasty code onto your network. Educating your users on the basics of keeping their computer — and, by extension, all your users — safe and secure, along with unambiguous policies covering what is and isn’t acceptable in your environment, can help mitigate threats.
Security in a hybrid environment is a concern, but it doesn’t need to keep security teams up at night. With layers of security hardware, security software and plain old common sense, PCs and Macs can coexist safely, securely and peacefully in your company.
- Run the same Internet security software on Macs and PCs, if possible. This will keep updates of virus definitions and other security features in sync between the platforms. Norton Internet Security and McAfee Endpoint Protection are full Internet security suites available for both Mac and Windows machines. If you’re looking for simple virus and malware protection, Kaspersky Lab, McAfee, Symantec and Trend Micro all offer software for both.
- Push as much security as possible off individual desktop systems and onto network appliances. By scrubbing e-mail and web traffic before it hits users’ desktops, you can eliminate many potential problems across all devices on your network. The McAfee Email Gateway and Symantec’s Brightmail line of products, as well as general security gateway solutions from Juniper Networks, SonicWall and Websense, all offer sound methods for squashing problems before they spread.
- Enforce policies requiring your users or IT staff to install, run and update security software as well as all operating system updates on the agency’s Mac and Windows computers.
- Re-evaluate your security policies. There’s no substitute for good policies. Educate your users regardless of their platform, and create and regularly update acceptable-use policies.