In today’s environment it is increasingly difficult for IT departments to manage the security of staff and all their activities.
A greater range of activities – using mobile devices, social networks, synchronising files to the cloud, sharing and collaborating using web based applications – combined with range of operating systems and the rapid proliferation of smart phones and tablets, leaves IT with the challenge of supporting this changing environment, let alone securing it.
This raises the question of ‘who owns the end point?’ This question, or more specifically the answer, dictates directions and policy as to what can be done both legally and technically to protect the devices and, in turn, corporate information.
The first line of defence
We lock our houses, and businesses should follow this simple logic in the way they safeguard their security assets. The traditional endpoint and perimeter security may act as a house, but the doors and windows are opened for staff every day.
Perhaps more concerning is that the mobile device has the potential to leave the keys in plain sight. Without the appropriate safeguards at every access point as well as the end point, businesses bare themselves to the world.
Access to the endpoint, whether that be a phone, tablet or laptop, gives access to authentication credentials, social media and potentially corporate information, as well as what is on the device.
The impact of either a breach or loss of an end point can have extremely serious ramifications both personally and professionally.
End points are a network of one
Traditional perimeter or gateway controls often leave gaps against an ‘anywhere, anytime’ IT environment. As we extend more data into mobile devices, organisations should look at what is required to create a perimeter to protect the information and where it is being used.
This individual perimeter may include elements such as data loss prevention, including encryption, virtual non persistent extensions of corporate data into sandboxes within the devices, anti-malware that controls web URL reputation, file reputation and application reputation, together with intrusion prevention and detection.
Include strong authentication – preferably strong password access – to access each device, and look at anti-theft and device wipe solutions.
Secure non-persistent corporate data sharing environments and develop policy enforcement where appropriate.
Cloud based security services that enforce security are also ideal in this space, as devices are always connected, irrespective of location, and are not reliant on corporate gateway security. Look to vendors who have complete user protection.
Centrally managed security solutions for mobile, endpoints, gateways, data centres and key data assets is not marketing hype – it is the only strategy that can provide peace of mind in this modern environment and deliver the end to end security that that organisations need.
By Peter Benson, senior security architect, Trend Micro New Zealand