Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 12785 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User based policies for Sophos Endpoint Security & Data Protection

Pubudu

Hi all,

Today I lost a POC for Sophos Endpoint Security against a main competitor because of Sophos is not having user based policies.

My customer required our policies to be user based. Specially, the device control policies. For example, when a VIP user or IT administrators login from any location, they should be able to access their USB storage devices but for normal user accounts, USB devices should be blocked. Currently, even though Sophos is having good Active directory integration options, we can only define policies for computer objects. Device white-listing is there but it's not practical in large scale deployments or when a user requires unrestricted device access from multiple locations. I wonder whether there are any more Sophos partners who think that it’’’’s high time for Sophos to think about introducing user/group based policies for Endpoint Security & control.

Best regards,
Pubudu.

:1286


This thread was automatically locked due to age.
  • 0

    Hi,

    Sorry to hear about you loosing the POC. We are planning to add user based policies in a future release - with a focus on device control, application control, data control (DLP) (and perhaps some other things we have in the pipeline!). the current thinking is to maintain the ability to have a default machine based policy but layer user based policies on top i.e. a user based policy would take priority over a machine based policy. I'd welcome any feedback on this approach.

    Not much help for the POC but we do have user based reporting in SEC 4 for app c, dev c, firewall and data c. This at least makes it straightforward to report on who attempted something against IT policy. Tamper protection in ESC 9.5 will also support user based reporting so wrists can be slapped if users start to try and guess the tamper protection password.

    Best regards,

    John

    :1292
  • 0

    Hi John,

    Thanks for the info. I am actually very relieved to hear that Sophos is planning ahead for this.  The layered approach you mentioned would be fantastic. I am now curious about the timeline we could expect the new functionalities  :smileyhappy:

    Best regards,
    Pubudu

    :1293
  • 0

    (whatever POC stands for :smileywink: - see 4. in SophosTalk usage best practice)

    The current thinking is to maintain the ability to have a default machine based policy but layer user based policies on top i.e. a user based policy would take priority over a machine based policy. I'd welcome any feedback on this approach.

    Guess sooner or later someone will ask for an option to ignore user policies on specific computers. 

    Right away:

    - will it only work in AD environments?

    - will it be users and/or groups?

    - the same user (same SID) might have different rights on different computers (e.g. more "freedom" on "his" mobile device than on one of  the desktops or just the opposite). The simple approach of SEC's role-based administration (one user - one set of rights in all assigned sub-estates) might not suffice   

    @Pubudu:

    Sorry to hear.

    (a general remark) ... there are always ones focusing on features and there are always VIPs and exceptions. If we (the IT department) were required to block USB devices for the "normal" user accounts while permitting access for VIPs I'd try exempting their USB devices - telling them "of course you have to use them but, you know, security and data loss and blah-blah and by the way have you thought about encrypting these thingies?".  Another product would save me some fight, perhaps, but won't do me much good in the long run.  

    Christian

    :1295
  • 0

    Hi Christian,

    Now we have Sophos Cloud! :catvery-happy:

    :56482
Cookie Information Banner