The question of how to "keep end user computing secure" is complex due to the proliferation of device types, the places users are when they use them and the networks they connect via.
Making matters worse is the issue of device ownership, a recent Quocirca report, Getting to grips with BYOD, shows that the majority of organisations now accept user-owned devices being used at some level for work purposes.
So, where to start with ensuring all end user computing as secure as possible? A Chief Information Security Officer (CISO) once told Quocirca that their organisation’s starting point was to regard all devices as potentially hostile, regardless of ownership – that’s not a bad idea, a ‘good’ device once compromised can soon become a ‘bad’ one.
However, other considerations must also be taken into account, in particular the degree of control that can be asserted over a device.
Managed and unmanaged devices
Managed devices are those an organisation owns and can do what it likes with even though the custodian is one of its users. Applications can be installed, software licence use is controlled and punitive measures, such a device wiping, can be taken out when devices are lost. A granular approach is necessary. The measures taken for a marketer’s laptop will be different to those appropriate to a field service engineer’s mobile device or a health worker’s tablet. Devices that stay firmly behind the firewall, including virtual desktops, will be treated differently to those than never come home.
Unmanaged devices are those owned by employees or users from third parties and are harder to impose control over. In some cases, permission may be sought to install software on user-owned devices, so they are part-managed, however, this cannot be open-ended as unknown numbers of licences will be needed and the chosen security measures may not be available for all the device types and operating systems required.
If controls are applied to data itself, then the device is less important – managed or unmanaged. This requires that an organisation has a good knowledge about its data assets, in particular intellectual property (IP) and regulated data. Achieving this is a core capability of some of the product categories reviewed in this article. These fall in to two main groups: centralised controls and on-device controls.
For each, the level of protection that is applied to data and the applicability of each control to managed and unmanaged devices are discussed. No one technology or vendor provides all of the protections a given organisation will require; most will need a mix of approaches. As always with information security, when it comes to end user computing a layered approach is necessary – time to tighten the belt and pull up the braces.
With centralised controls the aim is to protect data and/or devices, often without the need for any software to be installed on devices, when this is the case such controls apply to both managed and unmanaged devices.
Network access control (NAC)
NAC is primarily a network defence controlling what devices have access. However, NAC has a role to play in maintaining the hygiene of user devices. Whenever a managed device attempts to attach to the home network its security status can be ascertained and necessary actions taken. NAC products that can operate without pre-installed agents can extend controls to unmanaged and unknown devices. Vendors include the network majors; Cisco, Juniper and Aruba and specialists such as ForeScout, Bradford Networks and Portnox. A 2013 Quocirca report, Next-generation network access control, looked at some of the real-world uses cases for NAC.
Data loss prevention (DLP)
DLP monitors data in transit over networks to prevent it ending up where it should not be. The primary aim is to prevent the theft and careless usage of data. DLP also has a role to play when it comes to end user computing, as rules can be set for what users have the rights to access what data from which devices and where. All the leading DLP suppliers have been acquired by larger security vendors including CA, Symantec, Websense, EMC/RSA, McAfee and Trend Micro.
Digital rights management (DRM)
DRM can apply controls to data even when it has been copied to a user’s device. This is achieved through linking access to an online policy server. For example, a user may be able to read a document on a device but not print it, forward it or copy. A recent Quocirca report, What keeps your CEO up at night? looks at the use of DRM to prevent data misuse by insiders. Microsoft has DRM capability embedded in several of its products. A host of smaller vendors take a broader end user-centric approach to DRM, such as Fasoo and Verdasys.
End point management and mobile device management (MDM)
For completeness it should be pointed out that making sure the system and security software installed on managed devices is kept up to date is an essential part of securing end user computing. This is the role of end point and mobile management tools. This is especially important if automated operating system updates are not switched on.
Security information and event management (SIEM)
SIEM is not an end point management technology in itself. However, it does have two important contributions to make. First, it allows behaviour of applications and users on end points to be reviewed in a broader context. For example, two access requests by the same user from different devices being made from widely separated locations in a short space of time can be identified as a potential issue. Second, many end user security tools can provide a feed to SIEM and forensics systems when investigations are being made following an incident.
On-device controls are mainly applicable to managed devices. In many cases devices are compromised because they are lost or stolen. When a device ends up in the wrong hands the new ‘owner’ will often just seek to reset and resell the device with little interest in the data stored on it. However, asserting that this is likely to be the case will not satisfy regulators when sensitive data has been involved, better levels of assurance are required.
Device access controls
One of the most obvious protections that can be put in place is to require a password or stronger level of authentication (such as a finger print) for accessing a device. In differing ways, such controls are built into operating systems and they just need to be activated. However, a determined thief will generally find their way around device access controls.
When centralised controls (or lack of them) have permitted sensitive data to be stored on a device, local encryption should be used to provide protection. Encryption capabilities are embedded in most operating systems. Symantec PGP, SafeNet and others provide cross-system support. Encryption keys are often linked to device access controls, so if these are compromised so is the data. Furthermore, when the data is actually in use it is not protected, so users can still copy it and forward and malware writers often aim to get around encryption be accessing data in use by memory scraping. Encryption can be also turned against users; ransom-ware encrypts data and demands a fee for the key.
Random and opportunistic malware is still finding its way on to many poorly protected devices aiming to steal personal data, recruit to botnets or extort a ransom. Traditional anti-malware products from the major security vendors and specialists such as Kaspersky, Panda, AVG and Avast all help protect devices from random malware, black listing known bad stuff. As well as defending against malware, many provide broader controls, for example limiting the use of USB devices.
Advanced malware detection
Individual users are increasingly specifically targeted as part of broader campaigns to infiltrate organisations. Unique versions of malware may be used that are hard to detect using the signature based techniques of traditional anti-malware. So many vendors have developed more sophisticated capabilities such as detecting malware-like behaviour. One approach is to test anything suspicious in a sandbox; FireEye and Trend Micro are two of the leaders in this area.
Why let anything run on a device unless it is known to be good? That is the philosophy behind white listing. Leading vendors include Bit9, Lumension and, for Windows only, Microsoft AppLocker. Where there is good reason to limit user activity, for example on point-of-sales devices and those of health visitors and field service engineers, white listing may make sense. For other users it will be too restrictive.
Another approach is to limit the resources a program has access to, termed isolation. Here all instances of applications run in their own virtual machines. Authorised applications are only granted access to the resources they need. Two vendors have emerged in this space: Bromium and Invincea. Another is Spikes Security, specifically focusing on isolating a user’s web browsing activity, one of the most common ways for malware to end up on devices.
Containerisation and secure desktops
For mobile devices, especially user owned ones where a level of management control has been agreed by the user, it makes sense to partition a part of the device for specific activity. This is the essence of containerisation; the leading vendors include Good Technology and VMware’s AirWatch. Virtual desktop technology is also being adapted for use on mobile devices, which provides a similar level of protection. A final approach is boot secure desktops from USB devices using Windows to Go, Microsoft certified suppliers include IronKey and Spyrus.