If all else fails, protect the endpoint | SC Media
Architecture, Network security, Policy, Critical infrastructure

If all else fails, protect the endpoint

August 1, 2013

This month, we're back in that old defense-in-depth discussion. The endpoint has taken on both new importance and new dimensions in the overall information protection scheme. From the perspective of importance, today's enterprises have what we refer to as “semi-permeable perimeters.” That means that we are – ever so carefully, we hope – allowing certain components of outsiders' sessions to enter portions of the enterprise on the inside of the firewall. Sometimes that means entering through what amounts to a proxy, such as a web front-end, but entering nonetheless.

Access to a backend database via a front-end website running some application on behalf of the user is not particularly new, of course, but what is evolving is how deep we are allowing these visitors to go before they reach their objectives. We also see, especially with small businesses, an increasing tendency to contract IT services from outside, and then use something, such as GoToMyPC, to allow access by the contractor to such devices as point-of-sale terminals. That creates a new class of insider, a sort of “outside insider.” To be sure, these folks are being treated as if they were trusted users and, since they probably have high-level access, they conceivably can move around the enterprise like any other system administrator. With these sorts of controlled (we hope) accesses becoming more common, exposure of sensitive data on any endpoint is increasingly at risk.

At the end of the day, if all of our protections fail, either because a skilled intruder defeats them or an ill-informed user makes a bad decision, if we don't protect the endpoint we may have opened up our enterprise to a lot of really bad things. That's what this month's reviews are all about.

There are some new trends and an unusually large batch of products. As one might expect, besides BYOD, mobile devices in general, and the usual traditional endpoint tasks, we could not avoid the impact of data leakage, especially into the cloud.  But the biggest difference we saw this year was the shift to a data-centric rather than a device-centric model. This, really, should be no surprise with the emphasis on data moving freely between the several types of endpoint devices that a particular user might have.

prestitial ad