Endpoint security is the weak link in many organization’s security strategy. We spend time securing the network assets, including company-owned endpoint devices and then we allow personal devices access to these same networks. It might be a manufacturing company that hosts a sales meeting for people from across the region. Or it might be a thousand new personal devices that show up at a high school on a Friday night for a basketball game. Our networks are growing, our application set and data volumes are growing and at the same time, we need to support a culture of BYOD (smartphones and tablets). All of this compounds, or in many cases, invalidates our security strategy.
A Strong Endpoint Security Foundation
As with most plans, doing this right requires creating a strong foundation. Endpoint security foundation starts with 2 basic strategies:
First is Network Access Control (NAC). For a device to access the network it must meet specific defined requirements. These would include being free of malware, running a current version of specified security applications and have the OS patched to minimum standards.
The second half of the foundation is having an internet-based segment solution in place. In conjunction with a NAC solution, segmentation needs to be able to automatically move a device to an assigned segment, monitor its activity and segregate it as soon as it strays outside of set behavior boundaries. The segment solution needs to cover the entire network so that all connections are managed under the same protection properties.
Endpoint Security Policies
With the foundation elements in place, a comprehensive security policy is critical to protecting the network resources. The actual policy requirements might be dependent on the specific network application but they should include:
Application control that prevents unauthorized applications from running on connected endpoint devices.
Running an endpoint client that includes antivirus capabilities as well as any necessary advanced endpoint security functions.
Endpoint devices and network hardware need to be regularly patched. This should be managed by the NAC solution.
Devices need to include an automated VPN to guarantee data is secure, particularly if the device is used on public WIFI.