System Center Online Desktop Manager and Your Security

Microsoft, this last Wednesday, revealed a new service called System Center Online Desktop Manager (SCODM). In case you don’t know, they have provided a product for years that provides the same functionality, but must be installed within a company’s network. SCODM is provided as an online service and it allows companies to centrally manage the configuration set of their desktops. Organizations can control what software may be installed on the machines and how the web browser must be configured – as just a couple of examples.

Here’s the problem: How do we deal with HIPAA (Health Insurance Portability and Privacy Act), which places the responsibility on the organization to ensure they are in compliance? And HIPAA is just one concern; we must additionally be concerned about PCI-DSS (a payment card processing guideline) compliance and other more niche regulations as well. Will Microsoft reveal how they are communicating with the machine and the machine with SCODM so that we can be sure we are in compliance? I’m not sure, but these things must be considered.

The service may be beneficial to small and medium-sized businesses, but large organizations will likely choke on the thought of losing control. I think it was stated well by Jake Muszynski, an analyst at Nationwide Children’s Hospital in Columbus, when he said, “I don’t know that I want to store data about my machines and their vulnerabilities in the cloud.”

Is this just an issue for techies? Well, sort of. It also acts as a reminder for any business owner. Is your data secured? Have you thought about it lately? And this brings me to an important tip: watch what you blog and tweet about. You can reveal sensitive information that will make it easier to penetrate your network. This is the very issue of concern to Mr. Muszynski; he did not want information about his system configurations floating around in the cloud.

I teach computer security classes and one course I teach is on the topic of ethical hacking. Now, for those uninitiated, ethical hacking is the process of discovering vulnerabilities in networks and systems with permission. Of course, unethical hacking is doing the same without the permission. In these courses, one of the methods that students learn about is information gathering. One of the primary tools we use for information gathering is blogs and tweets by company employees. For example, imagine a company employee has the following set of tweets:

  • Upgrading my computer to Windows Vista
  • Planned to install service pack 1, but ran out of time… will finish tomorrow

Now, this is a very simple example, but I now know that a Vista machine without the most recent updates may be on the network. I’ve seen far worse blogs and tweets, but I won’t post them here because you can still search and find them through Google and other engines. The point is simple; Microsoft has reminded us about the dangers of online content by announcing a new online service. The service may be valuable to many small and medium-sized businesses, but – regardless of size – we must be very careful about the content we place online through managed services and even social networks. I love social networking, but we must use caution when creating content.