The PC desktop is changing, so fast that what used toconfidently be called the “desktop” is undergoing the sort of rapidevolution bound to throw up new and unfamiliar securitychallenges.

Technological developments such as smartphones, tablets andmobile operating systems can be wheeled out to partly explain thischange. However, it is to the humble user rather than computerarchitectures of network topologies that we must pay the closestattention if we are to understand how the business desktop will bereshaped from the ground up over the next decade.

Put simply, employees are downloading and accessing a host of“grey” mini-applications, services and browser plug-ins on asometimes industrial scale to run in parallel to traditionalsoftware licensed or developed to do the everyday work of abusiness. As well as introducing a high degree of uncertainty andrisk, this turns the established model of software deployment onits head. Where once, IT staff decided what ran, now employees havebeen handed the discretion to run what they fancy.

Organizations might want to ban alien applications and socialmedia plug-ins but they are also aware that some of these servicesand applications are part of longer-term industry changes that canalso generate new possibilities for a business. Can a way be foundto reconcile the two world views?

Most organizations have a written computer usage policy todefine authorized behavior, which in specific instances will beenforced with an extra layer of technology to control whichapplications can run on a PC or open a port through thefirewall. That offers certainty but is a blunt instrumentthat fails to address a range of underlying issues.

What happens if users misunderstand, forget or ignore the policyor are simply socially engineered into installing riskyapplications?

Can organizations any longer rely on mere usage policies to forma reliable part of their compliance stance?

In any event, can applications be efficiently managed if ITstaff lack reliable tools to perform simple discovery and controlon a continuous basis?

One powerful and flexible tool with which to impose order on thechaos is a privilege management system. Technically, privilegemanagement is a way of controlling applications that demand adminrights under Windows to function, a legacy programming model thatpresents obvious security risks.

Using such a system in a least privilege setting offers a way ofblocking harmful applications (which often ask for admin rights togain control of a target) while allowing “standard” users toelevate these privileges according to pre-defined policies.

But it doesn't stop there. Privilege management systems alsocome with a discovery and auditing function that admin staff use toassess the type of applications and rights used on a network overtime; this provides a neat starting point from which to create adigital usage policy to replace the written protocols.

Once armed with a comprehensive picture of which applicationsare being used and under what conditions, the next stage is todivide applications into categories according to risk or their useto the business.

Leaving aside the hopefully small number of dangerousapplications, there is no simple answer as to which applicationsand services run and which don't. Suffice to say, this is a greyarea which demands that IT teams consult staff. Imposing a digitalusage policy from “on high” is bad management.

A particularly difficult example is that of social mediaapplications. For staff in one department these might offer noconcerns to the business while in another one down the hall datasecurity issues would make unguarded use unthinkable.

Another example are consumer cloud storage services such asDropbox, which have risen to prominence for the way they allowusers to cope with data files across multiple types of “desktops,”i.e. PC, smartphone, tablet, and even home computer withoutresorting to insecure flash drives.

Many businesses without private clouds are keen to access suchservices but worry about the risk to data accessible from multiplesystems using uncertain authentication, remotely managed encryptionwith no auditable compliance to speak of. Assessing where thelimits lie with such services can be complex. Windows 8

Adopting privilege management concepts will not necessarilyoffer a complete solution thanks to a growing band of apps –Windows 8 “Metro” apps for one – that install without asking forelevated rights. Granted, Microsoft's design improves on themistake of creating applications that require privileges and end upbeing funnelled inefficiently through Windows User Account Control(UAC), but leaves hanging the question of whether even standarduser apps should be allowed in the first place.

The challenge of Windows 8 apps is that the number ofpossibilities rises from the few dozen usual suspects found intoday's desktop environment to, potentially, thousands or even tensof thousands.

An answer could be application whitelisting (allowing apre-defined group of applications), or its twin, blacklisting(disallowing specific applications). As far as Windows 8 isconcerned, Microsoft provides tools to manage Windows Store appsthrough AppLocker Group Policy, but privilege management systemswill do the same job in a way that integrates with broaderapplication management requirements.

Because it is impossible to authorize each and every appdynamically, the best way to proceed is to define a family ofacceptable apps using whitelisting, updating this policy asregularly as practical.

The example of Windows 8 apps underlines the importance notsimply of auditing the applications being used but of doing thesame for the policy itself. Digital policies should never becomefixed in stone; a good policy is always as recent as possible.

The conclusion from all of this is that the 'new desktop' isdynamic, fast-evolving and defined as much by what users do, notsimply what IT vendors deem to be useful. The user is now incontrol of the organization's destiny and IT teams need to adapt.That's a huge change that asks not only for a new mind-set but thetools to make such a world possible. What admins can't do is clingon to the past and its fading certainties.

Mark Austin is chieftechnology officer with Avectoin Manchester, England.