By: Bob Tarzey, Service Director, Quocirca
Published: 24th January 2011
Copyright Quocirca © 2011
Any IT device, be it physical or virtual, that sits at the end of a network connection is an end point. From the point of view of security these can be grouped into two categories: those behind the firewall, including datacentre equipment, printers, desktop PCs and so on; and those that are, or can be used, outside the firewall.
This second group includes mobile end-user devices, such as notebooks, netbooks, tablets and smartphones, as well as other devices located in public places such a ticket readers, video displays and so on. For IT security staff, it is the mobile end-user devices that are the real nightmare as they need to have wide ranging network access, can be used to store data and are easily lost or stolen.
Not so many years ago, for most organisations, the problem of securing mobile devices was confined to notebook PCs running Windows. That situation has change completely, driven by the rapid take-up of smartphones and, in the past 12 months, tablet computers. Mobile devices present a challenge because they run a much broader range of operating systems from Apple, Google, RIM, Nokia/Symbian and HP/Palm. Microsoft is still there, but currently trailing badly in both categories. At the moment no one player looks set to dominate. Those tasked with securing the mobile user must cope with heterogeneity.
The problem presented by all this variety is further exacerbated by the growing impracticality of imposing corporate standards. The trend towards consumerisation, that is users wanting to use a device of their choice for their interface to IT, means that many organisations now face having to secure and manage any or all of the above operating systems.
There are three main security challenges:
Broadly speaking there are two approaches to achieving the required level of security. Rather than being viewed as alternatives, these should be considered as two ends of a spectrum of choices that security managers must make to provide the level of security that suits their organisation. There also needs to be enough flexibility to provide differing levels of security for different users depending on their role, location and the type of transactions involved.
At one end of the spectrum is device self-sufficiency. Here the device can be used to store data and access the internet via any connection—in effect it must be configured to operate and survive in the wild. This means having anti-malware software on the device, ensuring all confidential data is encrypted (which probably means full disk encryption) and other measures including on-device firewalls, remote disablement, SIM recognition and geolocation. All this can be achieved, but it is tricky to manage and the software involved consumes resources on the device.
At the other end of the spectrum is fully centralised security. Here the device is reduced to a network access point, no confidential data is allowed to be stored on the device, and internet access is via centralised proxies that have firewall and anti-malware capabilities built in. The technologies that help enable this include SSL-VPNs, virtual desktops, next generation firewalls, web-proxies and cloud-based content filtering services. The problem with this approach is that you can end up with choke points and the very benefits of the mobile user experience can become considerably reduced.
Wherever a given organisation places itself on this spectrum the devices need managing. This requires management tools to ensure security, system and application software is kept up to date and that compliance measures extend beyond the firewall to all devices provided corporate IT access. Managed service providers are increasingly offering such services, for those organisations that see the challenge of end point management security as one they cannot take on in house. Quocirca’s freely available report, “The total MSP”, provides more detail.
One final thought; consumerisation may be one of the reasons that security managers have to cope with such a diversity of end points to manage, but it has one advantage: users will take better care of their own device than one imposed on them by their employer. An employee’s love of their device may be one of the biggest contributors to better user end-point security.
A presentation by Quocirca entitled “End point security; the right protection in the right place” can be viewed here.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: electronicdawn Ltd.