Why Endpoint Security Is Still Tough

By David Strom Print this article Print

There are still no magic, one-size-fits-all solutions for managing endpoint security.

Having tested a number of endpoint-security products and lectured to several audiences is still no substitute for actually seeing what works in the field and what doesn’t. And while the products are getting better, there are still no magic, one-size-fits-all solutions. I wanted to share with you some of the things I have learned from my visits.

Most of the vendors are very XP-centric, and some are only now just getting to supporting that other Windows operating system that is finding its way onto desktops─you know, Vista? And when it comes to non-Windows applications, such as Mac OS, Linux and PDAs, most vendors are behind the times.

There are products, such as StillSecure’s SateAccess, that support both agent and agentless operations, but still many of the agentless products only provide a small subset of protection that their Windows XP agents do. Of course, one solution is to just standardize on XP SP2 for all your desktops.

Remediation measures are spotty, and in some cases non-existent. When your security product finds a non-compliant endpoint, how do you get it fixed, and what does the end user see? Do you shunt them off to a quarantined network, where they can’t do much beyond updating their patch levels and browser protection? Or do you block them entirely?

How you go about implementing this will affect your support resources, which is why many of you have not gone whole-hog into 100% remediation, even if it were available.

How you manage your entire security policies across your enterprise can make or break which product you end up purchasing. Some of the products require more or less work to integrate with the firewalls, intrusion systems and other protective measures you have in place.

In one situation, the corporation used its endpoint strategy to control network access by tying in biometrics. When users authenticate by swiping their fingerprints, they gain access to the network resources and a fully encrypted local hard drive. (Seagate has a nice built-in encryption to its hard drives that was being used in this case.)

Do you really need to protect everyone? Some of the shops I have seen implement their endpoint software for just consultants, guests and others who aren’t on managed desktops. Some have to protect everyone, such my alma mater, Union College. It largely depends on what your desktop population is: the proportion of managed machines and the proportion of guest workers coming in the front door.

The theory is that the managed desktop can be locked down and you don’t have to worry as much with these systems as with the random PC that walks in off the street, infected to the hilt. This can also apply to the remediation measures you implement; you may want to start small here and work your way up.

This article was originally published on 2008-06-24
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.