“Endpoint security” is one of those common phrases that takes on different colorations depending on who’s doing the talking. The general definition is quite broad: an endpoint is a device that has permission to interact with a corporate network. Then things get tricky. Do you expand the definition to every device connected to a network? It’s absurd to count printers in that definition, but in this broad sense the definition may certainly include servers. How about desktop PCs? Although there have been cases of enterprising thieves carting away desktops, these devices are rarely removed from company premises. In both cases, servers and desktop PCs are subject to network security and remain behind the firewall.
Endpoint security more commonly operates on mobile devices that frequently disconnect from the network: laptops, tablets, and smart phones. Each and every one of these devices is at high risk for theft or loss or intrusion. Even worse, a thief or hacker may be able to gain authorized entry into a corporate network by using data stored on these devices. So let’s answer the question “What is endpoint security?” with this definition: endpoint security protects mobile devices from events that threaten corporate data and networks.
In the past, many businesses tried to mitigate mobile device risk by establishing policies against personal use of corporate mobile devices. It rarely worked as users would store personal data anyway, and were also increasingly likely to buy and use their own devices for personal and business data. In response, companies changed course and adopted an “if you can’t beat ‘em, join ‘em” policy. They instituted new security policies around Bring Your Own Device (BYOB) initiatives.
BYOB works well for employees who understandably want to do both corporate and personal tasks on the same device. But it is a growing challenge for IT, who must protect endpoint devices that have access to corporate data. And IT cannot simply use draconian security measures such as remote wipes if the employee owns their device and has permission to access corporate data on it.
How to Ensure Endpoint Security
Some corporations solve access risks by strictly using a VPN for mobile-to-network connections. However, VPNs are complex to deploy and administer, and many companies prefer to use endpoint security products for easier administration. These products encompass multiple protection areas although not all specific products may address all areas. As with any technology purchase, know your needs before buying. Common features include:
- Geo-location to detect a lost or stolen device, preferably at the street level instead of a city level. (Which is essentially useless.)
- Remote wipes let IT wipe a lost or stolen device’s storage. Look for the ability to classify corporate and personal data and wipe them separately, in case a user wants to take a chance on keeping personal data intact.
- Data loss prevention (DLP) shields corporate data from intrusion. Some endpoint security frameworks use application white listing, although this is more uncommon since the advent of BYOD. DLP also administers access permissions when the device attempts to connect to the corporate network.
- Data encryption for at-flight when the device remotely accesses the network.
- Anti-virus may or may not be included in an endpoint security suite. It’s critical of course but most laptops run separate anti-virus programs, and corporate anti-virus may automatically run when the network detects a device connection. Still, users can be careless with their anti-virus programs, so if your endpoint security suite includes anti-virus that may be a good thing.
Given multiple mobile devices per employee, manual client installation is an overwhelming task. This is why endpoint security systems are located inside the LAN or in the cloud, and access client devices via servers or gateways. The central application server pushes out security software and upgrades to individual devices as they connect to the network. IT maintains centralized control over device security.
Now, IT needs to consider the user when securing user-owned devices, especially when data destruction is involved. Say that a user reported that he lost his laptop in the airport. The laptop contains both personal and sensitive work data including network logins and passwords. IT attempts to geo-locate the device but cannot get closer than, say, Chicago’s south side. They issue a remote wipe. Two hours later airport security locates the laptop and returns it to the user – with a wiped hard drive.
In spite of this scary scenario, endpoint security is critical to protecting the network against bad actors. If you issue corporate mobile devices or have an official – or even unofficial – BYOB environment, protect your business. Deploy endpoint security to those at-risk devices.