Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 12760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User based policies for Sophos Endpoint Security & Data Protection

Pubudu

Hi all,

Today I lost a POC for Sophos Endpoint Security against a main competitor because of Sophos is not having user based policies.

My customer required our policies to be user based. Specially, the device control policies. For example, when a VIP user or IT administrators login from any location, they should be able to access their USB storage devices but for normal user accounts, USB devices should be blocked. Currently, even though Sophos is having good Active directory integration options, we can only define policies for computer objects. Device white-listing is there but it's not practical in large scale deployments or when a user requires unrestricted device access from multiple locations. I wonder whether there are any more Sophos partners who think that it’’’’s high time for Sophos to think about introducing user/group based policies for Endpoint Security & control.

Best regards,
Pubudu.

:1286


This thread was automatically locked due to age.
Parents
  • 0

    (whatever POC stands for :smileywink: - see 4. in SophosTalk usage best practice)

    The current thinking is to maintain the ability to have a default machine based policy but layer user based policies on top i.e. a user based policy would take priority over a machine based policy. I'd welcome any feedback on this approach.

    Guess sooner or later someone will ask for an option to ignore user policies on specific computers. 

    Right away:

    - will it only work in AD environments?

    - will it be users and/or groups?

    - the same user (same SID) might have different rights on different computers (e.g. more "freedom" on "his" mobile device than on one of  the desktops or just the opposite). The simple approach of SEC's role-based administration (one user - one set of rights in all assigned sub-estates) might not suffice   

    @Pubudu:

    Sorry to hear.

    (a general remark) ... there are always ones focusing on features and there are always VIPs and exceptions. If we (the IT department) were required to block USB devices for the "normal" user accounts while permitting access for VIPs I'd try exempting their USB devices - telling them "of course you have to use them but, you know, security and data loss and blah-blah and by the way have you thought about encrypting these thingies?".  Another product would save me some fight, perhaps, but won't do me much good in the long run.  

    Christian

    :1295
Reply
  • 0

    (whatever POC stands for :smileywink: - see 4. in SophosTalk usage best practice)

    The current thinking is to maintain the ability to have a default machine based policy but layer user based policies on top i.e. a user based policy would take priority over a machine based policy. I'd welcome any feedback on this approach.

    Guess sooner or later someone will ask for an option to ignore user policies on specific computers. 

    Right away:

    - will it only work in AD environments?

    - will it be users and/or groups?

    - the same user (same SID) might have different rights on different computers (e.g. more "freedom" on "his" mobile device than on one of  the desktops or just the opposite). The simple approach of SEC's role-based administration (one user - one set of rights in all assigned sub-estates) might not suffice   

    @Pubudu:

    Sorry to hear.

    (a general remark) ... there are always ones focusing on features and there are always VIPs and exceptions. If we (the IT department) were required to block USB devices for the "normal" user accounts while permitting access for VIPs I'd try exempting their USB devices - telling them "of course you have to use them but, you know, security and data loss and blah-blah and by the way have you thought about encrypting these thingies?".  Another product would save me some fight, perhaps, but won't do me much good in the long run.  

    Christian

    :1295
Children
No Data