Written by Simon Bisson
Over the last decade, changes in IT philosophy and implementation have meant traditional methods of delivering security no longer work effectively. Increased mobility and the growing consumerisation of IT mean knowledge workers no longer have fixed, easy to manage desktop PCs. Instead, they rely on laptops, portable storage, and cloud services to manage their day-to-day tasks.
Added to this, in the data centre, there’s a shift to working within business processes rather than individual applications. This has meant that traditional security boundaries are no longer easy to implement.
New approaches to endpoint security and changing boundaries
Security experts have talked about “deperimiterisation” and “reperimiterisation” as techniques for creating a modern security model. Instead of using the old model constrained by mediaeval castle metaphors, where firewalls and other security appliances manage access to walled-off networks, modern security architecture is more fluid.
This also means, that instead of protecting hardware, you protect the information, tightly controlling access and securing data. That doesn’t mean an end to the traditional tools, like anti-malware and managing user privileges, or even abandoning network security techniques like firewalls. What you get instead is a change of emphasis that understands your users’ needs, and the information they need to work with, aiming to protect data above all else.
Once you know the value of the information you need to protect, endpoint security techniques can properly focus on managing trust relationships between devices and services. You can use tools like Microsoft’s Direct Access, for example, to link clients directly to servers, without going through traditional Virtual Private Networks, simplifying things for your users. In this model, trusted devices are tested as soon as they connect to ensure they comply with your IT policies, using Network Access Protection tools, before being allowed to use any network resources.
Into the cloud
It’s easy to make the mistake of seeing endpoints as purely physical devices. As companies shift to using cloud services to work with often-sensitive data, it’s important that the resulting distributed networks have an appropriate set of security and management policies that blends desktop, on-premises and in-cloud.
You’ll find that role-based security approaches work well with cloud services, using strong authentication tools (including two factor authentication) to control user access. It’s an approach that makes user actions easier to audit. You can make the cloud even more secure with encryption tools and hashing techniques to ensure cloud data is partially anonymised, reducing the risk of privacy breaches while still processing your data with cloud resources.
Other endpoints you’ll need to manage are the APIs and service connectors used to link different parts of a workflow. Here you can use authentication and encryption tools to verify service subscribers, ensuring that only trusted connections can be made.
It’s important to ensure that any endpoint security model you use protects customer and business data, and keeps the risk of data breaches to a minimum.
Controlling desktops
If you’re using these techniques with mobile users, you can mix secure connections with policy-driven whole or partial disk encryption, as well as using sandboxed application environments to lock down desktops and prevent unauthorised software from affecting your network security, Virtualised applications will run in secure local partitions on client devices, and storage redirection can keep sensitive data on centrally managed secure storage arrays.
You can even use virtual desktop tools to avoid using local processing or storage completely:
- Consider using application virtualisation to control applications
- Task workers can be given locked down virtual desktops with minimal rights
- Secure central storage to control data
The prime directive: protect your customer data
Online criminals are getting more and more sophisticated, and while malware protection remains important, what’s most important is keeping control of information and ensuring data loss does not occur. Businesses and IT managers in particular have a responsibility to protect data, and must make sure data usage complies with the requirements of the Information Commissioner. Making sure your endpoints are secure goes a long way to meeting those requirements.
Other issues that need to be considered when implementing an endpoint security model are:
- It’s important to understand the use and role of non-liable (employee provided) devices
- You will need tools to manage flash and other portable storage
- Cloud services are part of your network, and need to be considered in any security model
- You will need to understand what third parties need access to your business systems, what information they need, and why
- It’s critical to know just how your business will both use and store customer data
- You need to understand the security models of any off-the-shelf software and tools, and how they integrate into your network
- You need to know the regulatory and audit environment that your business operates in.