Not only has there been a security benefit to whitelisting, but it has also helped Ponte get better control over software licensing compliance.

“So when we implemented the whitelisting program control, initially, there was some grumbling from users who wanted to run applications, for example, that we don’t own,” he says. “We don’t want users running applications if we haven’t paid for them.  It was pretty simple for us to do. And now, managing it is simple.”

One of the tricky parts of administering endpoints is the question of how to deal with endpoints not owned by the organization. Ponte explains that IFAW must contend with a number of users who belong to partner organizations and may need access to the network. He says that IFAW has evolved its policies to balance access with the security of network resources.

“We’ve moved from a policy [in which] only IFAW machines can connect to IFAW networks, period, to a sort of laissez-faire policy that wasn’t working, to giving our partners a bare-minimum necessary access. But as we increase access, we increase observation and security on those users,” Ponte says, explaining that client-side endpoint security software is only installed on user systems that need access to the network.

Of course, endpoint whitelisting can’t solve every security problem. Ponte has driven a number of initiatives to complement his use of Checkpoint’s product.

“I am using intrusion prevention from SourceFire, the creators of Snort, and that’s a key element.  I’m a heavy user of Microsoft organic tools for maintaining security, as we are budget-limited,” he says. “This includes MBSA, the Microsoft baseline security analyzer, which we have running via script and by a system management server and other tools. We use that heavily to make sure that our machines are up to date.  We use WSUS, the Windows Server Update Service, in combination with SMS to make sure that all of our machines receive security updates as quickly as possible.”

In addition, IFAW recently decided to run with a network-access-control project that will take advantage of the existing endpoint security client and a newly installed Hewlett-Packard Procurve-based network infrastructure to validate that each of the clients meets a minimum security baseline with up-to-date settings, patches and compliant programs running before they are allowed to join the network. Ponte says this is critical in a dynamic environment where machines are coming and going as users enter the network from trips out in the field.

 “I had a user show up just this week who had been traveling in the South Pacific from small island to small island and hadn’t been connected in something like 90 days,” he says. “It’s nice to know that that’s something that we can fix.”