Endpoint Security Gets Complicated

Users say protecting network endpoints is becoming more difficult as the type of endpoint devices — desktops, laptops, smartphones — grows, making security a complex moving target.

The problem is compounded by the range of what groups within corporations do on these devices, which translates into different levels of protection for classes of users on myriad devices.

Deciding the appropriate device defense becomes the No. 1 job of endpoint security specialists, says Jennifer Jabbush, CISO of Carolina Advanced Digital consultancy. Depending on the device and the user’s role, endpoints need to be locked down to a greater or lesser degree.

ZeuS botnet code keeps getting better… for criminals

For instance, Wyoming Medical Center in Casper, Wyo., has four classifications of PCs — open PCs in hallways for staff use; PCs at nursing stations; PCs in offices; and PCs on wheels that move between patient rooms and handle very specific, limited applications, says Rob Pettigrew, manager of technical systems and help desk for the center.

Pettigrew is deploying Novell ZenWorks to 850 of the center’s 900 PCs in order to make sure each class has the right software. With 110 applications and 40 major medical software systems to contend with, that makes a huge matrix of machine types and restrictions to contend with, he says.

In addition, physicians in affiliated clinics can access via SSL VPN, but they are limited to reaching Web servers in a physician’s portal that is protected from the hospital data network. Some Citrix thin-clients are also used to protect data from leaving the network, but overall the strategy for unmanaged machines is a work in progress, Pettigrew says. “We’re hoping to get more help desk,” to deal with the external physicians, he says.

One concern that can be addressed by endpoint security is data privacy, which is paramount for the Los Angeles County Department of Health Services in California, says Don Zimmer, information security officer for the department. He supports about 18,000 desktops and laptops and operates under the restrictions of Health Insurance Portability and Accountability Act  regulations. That means disk encryption, he says.

“If it’s not encrypted and there is a breach, then we have to start calling people,” he says. To avoid violating patients’ privacy and a loss of public trust the department encrypts the drives of all the PC endpoints with software from PointSec.

Equally important is keeping sensitive information off movable media that can plug into USB ports. The department uses Safend’s USB Port Protector product that either denies access to sensitive documents or requires that they be encrypted and password-protected before being placed on the removable device.

Zimmer says he is looking into data-loss prevention software as well that can restrict the access individual devices have to data. While the technology can be effective, it also requires that businesses locate and classify their data so they can set policies surrounding it — a job that can seem insurmountable depending on how data has been stored.

For Pettigrew, this means finding the 5% of sensitive data stored outside the medical center’s electronic medical records system.

Rather than deal with many vendors for specific endpoint protection products, some businesses opt for endpoint security suites, such as those that evolved from the antivirus roots of vendors including McAfee and Symantec.

Sam Ghelfi, CSO at financial firm Raymond James, opted for Sophos’ Endpoint Protection and Data Security Suite, which offers firewall, antivirus, data-loss prevention, antispyware, encryption and network access control (NAC). The company wants tight control over what Web content is available to users to minimize the malware coming in via basic Web browsing. The company uses a Sophos Web proxy that filters sites based on reputation but also the content that sites return.

Mobile devices that could contain confidential company information are disk encrypted, again using Sophos agents. If a device is lost or stolen, the encryption key is wiped out making it impossible to decrypt the contents of the hard drive.

Ghelfi says he believes in personal firewalls on individual machines because they can stop groups of devices from talking to other groups. Centrally managed, they can reveal network traffic patterns, he says.

He doesn’t use all the features of the Sophos suite, though. For instance, he is just getting around to implementing NAC to let unmanaged guest machines get on the network but still minimize risk that they are infected.

That will clear them based on authentication, access method and type of machine, but for contractors that require access to the main network, he also insists that they install the Sophos suite. Other unmanaged machines such as those of guests are allowed access only through a dedicated wireless network that leads to a limited set of servers in a network segment flanked by firewalls, he says.

Such endpoint security suites can be attractive financially, Jabbusch says, because customers can wind up with reduced agent, license and support fees and less management overhead. There may be a certain amount of convenience if customers decide to layer on more applications within a suite.

The newest class of device — smartphones — is presenting ongoing challenges as organizations figure out how to deal with them. Particularly dicey is whether to allow employees to use their personally owned devices for business and to access the business network.

The jury is still out, at least among state government CIOs. A recent survey by the National Association of State Chief Information Officers says that of 36 states responding to a survey, 39% say they allow personal smartphones if they are protected by state security measures. Twenty-sever percent say they don’t allow personal smartphones on their networks, 17% say they are reviewing stat policy and 17% say they don’t have statewide control — each agency sets its own policies.

A separate Forrester Research survey says 73% of businesses surveyed are at least somewhat concerned about smartphones being authorized for business use.

Jabbush says the type of smartphone is a factor. “I can’t imagine allowing an iPhone,” she says. “A BlackBerry is somewhat better,” because BlackBerries have a management infrastructure and the devices can be locked down to corporate policies.

Read more about wide area network in Network World’s Wide Area Network section.