I really dislike writing or talking about security. I figure one thing I can do to keep my enterprise secure is to maintain a really low profile. Another aspect of my information security goal is to be just enough better than others, so that they present a softer target to anyone with nefarious goals. This seems a reasonable and manageable approach until I factor in managing endpoint security. Security at the edge becomes even more of a concern with the complete integration of technology into every aspect of our lives. The line that separates our business use of technology from our personal use of technology no longer exists.
Why is managing endpoint security such as issue? Because, in effect, users can be the administrators of their devices. They are accessing uncontrolled, unmonitored networks. (What type of antivirus does that coffee hangout use?) They are downloading and installing applications of their choosing. They are letting friends and family use their devices -- and rarely having those friends and family sign the company's acceptable-use policy or attend the security training. They use using thumb drives and cloud services to manage and transfer data. In other words, once that person leaves the safety of life behind our firewalls, it is the Wild West, and we only find out what trouble they found when they come back behind our firewall with an infected, virus- or malware-spreading device.
More SearchCIO columns on security
Cybercrime now a boardroom issue; CIOs, CISOs rejoice
Take a behavioral approach to protect against security threats
A human firewall for security threats? More like a human firehose
It all sounds pretty depressing. However, unless we want to impose strict control over the use of the devices -- and accept the associated career risk of being the IT department that is always in the way of usability, accessibility and freedom -- we need to accept the risks but then take steps to reduce the risks. But what can we do?
- From a policy perspective, make sure that sensitive data is either never on an at-risk device or is encrypted. This also implies that we define what we mean by sensitive data -- your enterprise can probably survive the loss of a customer list or the in-process proposal. Your enterprise will definitely be hurt if you lose credit card numbers or social security numbers or other types of data.
- Because the threats and the technology change so much, find ways to communicate and train employees on device and data security. Managing endpoint security is an ever-moving target. A practice or habit that was not a weakness a year ago might now be a gaping security hole.
- From the technology perspective, get serious about being up to date with your threat counter measures. Select and deploy a quality antivirus system and maintain it. And make the antivirus updates automatic. A few years ago, I was visiting a remote location. The office manager handed me his laptop and said that it was really slow. I looked at his antivirus library and found that it was about 18 months out of date. When I did more checking, I found that he had disabled the automatic update feature in the software. Why? In his opinion, it took too much time for the update routine to run. Too long? It took about a minute! When I returned to the office, we did a global push and disabled the disable function.
- Since the endpoint is the weak link in the security chain, apply whatever tools you can to strengthen this link. These tools include host-based intrusion prevention systems to secure the device OS independent of the network it is using and enabling the firewall on the device.
- For device management, use remote imaging and remediation, directory policies that block access to certain sites, and monitor and identify non-approved software on the device. And, if you need another reason to consider it, desktop virtualization keeps control of the endpoint data in the hands of the security and data center professionals.
The nice thing is that, as we become more mobile and smash the line between in-office and at-home use of compute devices, someone out there recognizes the new threats and develops a product or policy we can use to reduce the threat.
Niel Nickolaisen is CIO at Western Governors University in Salt Lake City. He is a frequent speaker, presenter and writer on IT's dual role enabling strategy and delivering operational excellence. Write to him at firstname.lastname@example.org.
This was first published in May 2013