Purpose
Establish a practical baseline for remote and hybrid environments that balances device autonomy with enforceable posture controls. The goal: maintain security integrity without slowing endpoint velocity or over-centralizing IT operations.
1. Baseline Definition
A baseline defines the minimum acceptable security state for a managed device — not a frozen image. It must be:
- Declarative: Represented as configuration policies or code (e.g., MDM profiles, CIS controls).
- Observable: Continuously measurable through management or telemetry tooling.
- Recoverable: Remotely repairable without re-imaging or hands-on intervention.
Think of it as a contract between device autonomy and enterprise assurance.
2. Core Baseline Controls
| Control Area | Objective | Example Implementation |
|---|---|---|
| Disk Encryption | Protect local data at rest | FileVault, BitLocker, or LUKS enforced via MDM |
| Patch Enforcement | Maintain current OS & software versions | Auto-update policies with ≤48-hour deferral |
| Device Identity | Ensure only trusted endpoints authenticate | Conditional access tied to device compliance |
| Privilege Management | Limit and log administrative actions | Temporary elevation with MFA and justification |
| Endpoint Telemetry | Maintain audit and detection visibility | EDR + unified log forwarding (e.g., Sentinel, Splunk) |
| Network Posture | Enforce safe connections | Always-on VPN or ZTNA client verification |