Uninterruptible Power Supplies

An uninterruptible power supply (UPS) provides continuous usable power to one or more devices. The primary purpose of a UPS is an integrated battery that provides power to connected devices when the AC power fails. When the AC power fails or even falls below usable voltage, the UPS automatically switches to its battery to provide uninterrupted power to any devices connected to the UPS. This feature allows the connected devices to continue operating normally during power outages. Because the backup power depends on the UPS battery, the duration of the power is limited—generally around 30 minutes.

Laptops typically do not need an external UPS given they can operate on an internal battery. Most UPS appliances also provide surge protection referred to as conditioned power. Meaning that any voltage surges are removed before providing power to devices. This surge-filtering capability protects connected devices from potential damage from high voltage.

Desktop Computers

Desktop computers have historically been the most common type of Workstation Domain device. That trend is rapidly giving way to laptops and mobile computing. Desktop computers are designed to be stationary and are often physically connected to an organization’s network to share information and devices. Because they are commonly connected to other network resources, it is important to carefully control access to these computers.

Most desktop computers have substantial local processing power and are often used to locally create and manage data. Although this ability can reduce the workload on other domain devices, it can also lead to data leakage. Users who are comfortable working with information locally on a desktop computer might not be diligent about backing up the information or perhaps about protecting the information.

Desktop computers have grown in power and storage capacity in recent years to the degree that they rival the capabilities of some server computers. This increase in power encourages users to install more and more software on their desktop computers. Allowing unsupervised software installations can lead to desktop computers that are difficult to support or even dangerous to your organization. Many computer problems relate to conflicts among programs that are competing for resources. Allowing users to install unapproved programs increases the likelihood of conflicts with approved programs.

A lack of desktop computer control also increases the likelihood that users will unknowingly install malicious software. A desktop computer with malware is not only a threat to locally stored information but also to all other devices connected to your network. It is important to understand the risks of allowing too much user freedom and implement the appropriate controls to protect your organization.

Laptops/Tablets/Smartphones

Many companies, in an effort to save money, are allowing individuals to use their personal devices for work, such as accessing company email from their smartphone. While this may save money in the short term, it does open new risks to the company. This practice is often referred to as “Bring Your Own Device” (BYOD). If BYOD is permitted, policies must be clear on acceptable practices. There must be a clear distinction between what security controls are required for corporate devices at work versus personal devices for work. For example, Blackberry products include enterprise mobility software products that isolate company applications from personal applications on your mobile phone. Meaning, while you are using the phone for personal use, the phone cannot access any corporate application.

As computers shrink in size and grow in capabilities, several new classes of computers now rival the desktop as the most popular type of workstation. Laptop computers are typically larger, more powerful class of portable computers. Laptop computers can do everything a desktop computer can do while maintaining a small enough profile to be very portable. Most laptop computers fit easily into briefcase-size bags and backpacks.

Tablet devices and smartphones have gained greater widespread capabilities and use. They are smaller and lighter than laptop computers. Their smaller size and lighter weight means that they have fewer hardware options and limited capabilities. Tablets and smartphones are designed to act as access devices to network devices and do not provide much local storage. Although they lack much local storage space, they still pose risks because of their support for network access.

As with desktop computers, it is important to control access to network resources and the ability to install unauthorized software. In fact, the need to control portable computers is more important than with desktop computers. The portable nature of laptops, tablets, and smartphones means these computers are transported and used at locations physically outside of your organization. In most cases, users connect portable computers to other networks when they are away from your organization’s building. Connecting to unprotected networks can be extremely dangerous. Users can pick up infected programs when connected to other networks and then introduce them the next time they connect to your network. Your security policy should include specific standards for using portable computers to connect to your networks.

Local Printers

A local printer is any printer connected directly to a computer. Local printers are not shared by multiple users. Because these printers are not connected to your organization’s network, they aren’t controlled from a central location. This means local users can print anything they want. Allowing users to access local printers without any controls can lead to several types of issues, including the following:

• Personal use of the organization’s resources—Users can print any files to local printers. This can include personal information that might violate the acceptable use policy.

• Disclosure of private information—Users can print files with little or no control over content. There is always the chance that printed documents could end up in the wrong person’s hands.

• Printer buffer access—Most printers retain copies of recently printed documents. It is not difficult to get a printer to reprint previously printed documents. It can be difficult to control this behavior on local printers.

Minimize local printer use in your organization. Printers should generally be networked and managed from a central location in another IT domain.

Wireless Access Points

Wireless access points typically encrypt the traffic between the workstation and the network. The authentication of the workstation and encryption of the wireless traffic is an important security control. As stated earlier in the chapter, a workstation can have a unique identity just like the user of the workstation. This workstation identity can be used to restrict workstation access to the network. For example, you could limit the time of day when a workstation is allowed to access the network.

When considering vulnerabilities to the workstation, access control is important. The objective of access control is to make sure only authorized people can gain access to data and services. But that objective in a wireless environment is different from a wired local area network (LAN). Access control is even more important for wireless WLANs (wireless local area networks) than for regular systems and networks because of the ease of accessibility and broadcasting of the data.

Wireless access points can pose serious threats to organizations. At first glance, they do not seem too dangerous, but they can provide damaging backdoor entryways into your network. These devices do have a place in a secure environment but not in the Workstation Domain. Modems provide a connection to another computer or network and belong in another domain where you can control them in a way that protects your network. Wireless access points provide a wireless connection to the network or computer systems.

Fixed Hard Disk Drives

Virtually all general-purpose computers have at least one internal, fixed hard drive. Computers primarily use fixed hard drives to store the computer’s operating system as well as application programs and data. Some leading-edge or special-purpose computers use solid state memory to store programs or information, but most of today’s computers use hard disk drives. Disk drives store files that contain data, instructions, or both.

Privacy laws and regulations address both types of file contents. Compliance with different requirements often means restricting how you access certain types of information or how you must store information. For example, under the Health Insurance Portability and Accountability Act (HIPAA), you must protect all private medical information from unauthorized disclosure. That often means using centralized storage with carefully monitored access and storage controls. You implement centralized storage in another IT domain, not in the Workstation Domain. Continuing the example, assume you use your workstation to access private medical information. You decide to copy the information into a document and store it locally on your workstation while you edit the information. The decision to store the information locally potentially just violated HIPAA. The problem is that you have just placed private medical information in an area that unauthorized users can potentially access.

You must carefully control what devices in the Workstation Domain can do. The good news is that you do have some control when Workstation Domain devices reach across domains. Storing information from another domain is only one issue. You also need to control files stored on the hard disk that originate outside your organization’s IT infrastructure. Outside programs and files often result from activity while you are connected to another network. In most cases, Internet access provides the inbound path for unwelcome files. Malicious files and software can infect unprotected computers and then spread to other computers and devices in your organization. Controls in the Workstation Domain for disk drive access can help prevent infections and protect the rest of your network.

Removable Storage Devices

One last category in the Workstation Domain includes devices you connect to computers as you need them. You use most of the devices in this category to store files to transport to another computer. These devices include the following:

• Removable hard disk drives

• Universal serial bus (USB) flash drives

• Removable CD-ROM and DVD drives

• Removable tape drives

There are other removable storage devices, but these are the most common. In fact, the most common devices are USB flash drives. These drives are compact, easily available, and can rival internal storage drives in terms of capacity.

Because you can transport removable media easily and connect it to other computers, it is important that you control the files you transfer both to and from any such devices. In general, you should control two types of transfers:

• Information you copy to a removable device to ensure you protect data privacy—This type of control keeps you from divulging private information.

• Data you copy from a removable device to block malicious code or data— This type of control prevents the rest of your environment from introducing malicious code.

Understanding the devices and components in the Workstation Domain is the first step to establishing controls to secure this domain. The next step is to understand data and device access controls. You will learn about Workstation Domain access rights and controls in the next section.