The Four Pillars of Endpoint Security
Security is an advantage: the Bring-Your-Own-Device (BYOD) trend in enterprise IT has caused users to expect anywhere/anytime access to sensitive data, from any mobile device. But IT managers are nervous about serving sensitive corporate data to devices that lack sophisticated security controls.
By applying the Four Pillars of Endpoint Security, businesses can embrace BYOD, stay competitive and operate without interruption, which leads to higher productivity and business velocity.
What are the four pillars of endpoint security? In short, a framework for analyzing and prioritizing security technology investment in the enterprise. The pillars are:
- Endpoint Hardening
- Endpoint Reliability
- Network Prioritization
- Network Reliability
Technologies such as platform attestation allow server-side resources to extract high-assurance security claims from mobile devices . This helps to keep sensitive data off of malware and rootkit infested devices and can also be used to enforce client attributes such as the use of hardware-based disk encryption. The latest generation of mobile devices supports a variety of high-integrity security features, including TPMs, SIMs, and other hardened cryptographic and data protection features.
The ability to make mobile devices self-healing is still a work in progress, but all of the major platforms have recognized the increased support cost, and negative user experience, that comes from supporting a wide-open application ecosystem in which discerning good software from bad is impossible for the layman. Curated app stores help endpoint reliability, although they don’t guarantee it.
This is moving in the right direction, but enterprises with sophisticated security needs must still necessarily distinguish between managed (e.g., a Active Directory domain-joined laptop) and unmanaged (typical smartphone) devices when it comes to granting information access. Enforcing patching and platform updates is key to maintaining endpoint reliability; technologies exist to do this across all platforms.
Link encryption is a must-have. All web applications should enforce TLS; all clients support it. Don’t waste bandwidth on unencrypted or untrusted requests.
More broadly, consider the role that network access control can play in protecting servers from unauthorized hosts by denying access to bandwidth. For example, there are countries from which network traffic destined for critical internet-accessible infrastructure – such as US banks – should be completely and permanently blocked as a matter of national security. That doesn’t mitigate the risk presented by compromised hosts located domestically, it reduce it.
More nuanced application-level network prioritization policies can be employed, as well. For example, media servers prioritize audio over video. VoIP systems prioritize control data higher than voice data. VLANs, while generally ineffective as a security boundary, do make an effective policy boundary when it comes to network prioritization. Also, consider standards such as DiffServ, IPsec, and the Quality of Service policy features present in operating systems such as Linux and Windows.
Many of the same proven security technologies and practices apply equally across traditional enterprise computing assets: routers, servers, laptops, and desktops. Don’t forget that (a) they need to be utilized and (b) they’re constantly increasing in sophistication. This applies whether the assets are mobile, private cloud, or public cloud.
To pick up a copy of The Four Pillars of Endpoint Security, head on over to Amazon.