Assessing Your Endpoint Security Needs
As endpoint security technologies continue to proliferate, it can be difficult for IT managers to determine the best course to pursue. Here are some tips from those who have already taken steps to protect their endpoints.
Have a VPN that can protect smartphones and PDAs, especially when they are used for data entry. While there are many implementations of VPN clients for standard Windows and Mac computers, there are fewer products that cover mobile-phone-based operating systems. As these devices proliferate, they deserve the same level of protection that the standard desktop receives.
Some companies use different security products for their mobile devices. For instance, the Hill Country Memorial Hospital in Fredericksburg, Texas, uses SonicWall’s firewall but had problems with the company’s handheld VPN client on its Treo smartphones. So the hospital ended up using NCP Engineering’s Secure Entry client on 10 of its phones.
“We have people who visit patients in their homes in rural areas,” explains Ira Babb, the hospital’s network administrator. “Having the VPN coverage means that they can take vital signs and other data, but don’t have to come back to the hospital to upload that information. Plus, we save on travel costs.”
The hospital hasn’t had any interoperability issues either. “We haven’t touched the software once we set it up,” he says.
Control access on removable peripherals, especially USB-attached storage. Given that you can purchase 32GB USB flash drives for around $100, it’s easy enough to copy all your data on a removable drive. This presents all sorts of problems for network security managers, particularly if these drives become compromised. One solution is to run software agents on all desktops that control access to the USB ports and lock them down.
Mammoth Hospital in Mammoth Lakes, Calif., has been using DeviceLock for several months. “With the proliferation of USB drives, we needed to control access, especially since they have essentially replaced disks as a file-transfer medium between systems,” says Paul Fottler, the hospital’s IT operations supervisor. “We were concerned that some patient data could be carried out of our facilities in one’s pocket.”
The software from DeviceLock is configured on 300 PCs to lock access to the USB ports, record any activity on the DVD and CD drives, and make sure that no keylogging malware is installed on the hospital’s systems. Fottler set up policies in Microsoft’s Active Directory to install the software.
“Pretty much any input port on the PC can be locked down, including infrared and Bluetooth,” he says. “And you can build a whitelist of devices to enable them, rather than blocking everything.”
Understand what’s missing from your anti-virus and desktop firewall solutions and decide how you want to fill the gaps. Just because your users have desktop anti-virus protection and firewalls doesn’t mean that these systems are running or have appropriate updates. Many IT shops are complementing these security products to provide better endpoint protection.
One method is to start with an anti-virus supplier and then migrate users to a more complete network access control (NAC) product that can work in conjunction with the operating system. You can stick with your existing anti-virus supplier and either upgrade to its NAC product or use someone else’s NAC software. Another option is to scrap your anti-virus supplier for a more comprehensive solution.
Take SouthCoast Bank in Pleasant, S.C., which decided to upgrade its Sophos anti-virus software. “We originally wanted to open up our network to transfer files from our customers to make it more convenient for them to do overnight deposits,” says Paul Hollen, the bank’s chief operating officer. “I was nervous about the potential exposure, and that’s how we got started looking at NAC solutions. The more I looked at it, the more I wanted the NAC piece running on our internal Windows PCs as well.”
The bank upgraded its anti-virus clients with the full NAC solution, which is now on more than 300 PCs. “We now have better controls,” reports Hollen, “such as for guest workers like the repair technicians who want to bring their laptops into our networks to fix our multifunction printers.”
The city of Miami decided to scrap its existing anti-virus solution in favor of eEye’s Blink security software. It chose this product because of its promise of being able to protect the city’s machines from zero-day exploits.
“What really helped was eEye’s willingness to put skin in the game and work closely with us during testing, pilots and the eventual rollout,” says Nelson Martinez Jr., systems support manager for the city’s IT department. “That really separated them from the pack.”
FN Manufacturing took a different tack and added Skyrecon’s Storm Shield security software to complement its existing Trend Micro anti-virus solution. “We needed something better than the individually managed firewalls on our laptops,” says Olivier Vanderstraeten, the network security manager of the Columbia, S.C.-based weapons manufacturer.
“We wanted something we could centrally manage, especially after we calculated how much time we were spending updating our security policies. Also, many users don’t bring their laptops to our offices, so, this way, we can make sure they have the latest updates.”
Set identity access policies carefully. As the number of compliance regulations increases, it is harder to understand their implications in terms of which staff is responsible for maintaining which identity access repositories. Often, enterprises end up having multiple sources with conflicting policies.
At Citizens Bank in Riverside, R.I., David Griffeth, vice president for business line integration, did an extensive overhaul of his identity management program. In the process, he found that the automated provisioning tool was not sufficient for role management.
“We needed to efficiently create roles to marry people with processes and technologies,” he says, “but found that [the existing solution] didn’t support the role management life cycle and didn’t include applications outside of its provisioning scope. We also found that our program wasn’t as dexterous as the business: As soon as our business needs changed or we acquired another bank, we had to use paper forms to update our systems. The worst thing for an identity management program is to go stale and not evolve at the rate of your business.”
The bank wanted a solution that would define roles quickly and maintain them efficiently. In the end, it chose Sailpoint. “We can see application profiles and which departments have access to them on a daily basis,” Griffeth says, “and we can manage this when change occurs. Our new program cut down access to various systems by 10 percent or more, and really tightened things down.”
Choose encryption and apply it intelligently at the most appropriate places around your network. After studying its encryption needs, Prudential Financial chose Vormetric’s Data Security Expert encryption software. The software “gives us the ability to effectively encrypt server-based data at rest and manage that protection effectively,” explains Thomas Doughty, Prudential’s chief information security officer. “We had some customers who needed a tool to encrypt data at the device rather than re-engineering any of our databases.
“We wanted to remove the burden of encryption from the servers that held our data so that we could operate at wire speeds. This is different from whole-disk encryption products—which are still important, especially for mobile users who have to carry confidential data with them. With the Vormetric system, our customers’ data, such as group health insurance plans, are encrypted before any information enters our servers, so we can be sure that we can manage and protect the data properly.” The solution was also attractive because it can scale as Prudential’s business increases.
There are many endpoint security solutions. The key is to understand what needs protection and to find out what’s missing from your existing security strategies and solutions.