Hackers love endpoints—those end-user devices that connect to your enterprise network. With a little ingenuity, bad actors (outside or inside your organization) can access sensitive data through employees’ laptops and smartphones, the office security cameras, printers, and a host of other entry points.
Endpoint security protects your enterprise resources by safeguarding these end-user devices from breach or physical theft. But many organizations are asking how cloud computing fits into the equation. In this brief interview, Pluralsight instructor Terumi Laskowsky (TL) walks through the considerations and responds to frequently asked questions.
How has endpoint security changed in the era of cloud?
TL: A decade ago, organizations typically limited the type of end-user devices that could connect to the corporate network, which gave IT professionals significant control over device security.
In contrast, cloud involves broad network access, and the possible devices that can access the cloud are growing exponentially and more geographically distributed.
Gone are the days where equipment lived primarily on a corporate campus, accessed through highly secure VPN connections. Today’s devices often access the corporate network via the cloud, without this enhanced scrutiny in place.
Many enterprises utilize a hybrid deployment model where the cloud is an extension of on-premises infrastructure. This requires security professionals to consider an ever-growing assortment of endpoint devices, which all represent potential attack vectors and require risk management strategies to protect corporate resources and data.
How do you protect endpoints?
TL: First, it’s important to recognize that a device can be an attacker or a victim. So, you have to plan for both scenarios. How do you protect a device from a cyber attack? And how do you protect your corporate resources against a compromised device?
You can install an endpoint security solution in a device and control its behavior using an organizational security policy. For example, to protect data leakage from these devices, the security policy could prohibit using USB sticks. Here’s another example: You could enforce whole-disk encryption in case someone loses their end-user devices. This is easier to do if your organization owns and manages the devices.
However, many employers allow personally owned devices to connect to the corporate infrastructure, especially from the cloud. This complicates the matter. If you allow your company to install an agent on your phone, who has control over your phone? How about your private data on the phone? Is your privacy protected? Organizations need to think through and resolve these questions.
What should an endpoint protection strategy include?
TL: Organizations need to catalog all devices that access corporate resources—from computers and smartphones to IoT devices such as fire alarms, thermostats, the sensors where employees swipe their badges to gain access to your building, and an ever-growing assortment of smart technology.
Anything that connects to your corporate resources can be a point of entry for a cyberattacker. This means you need a process for constantly updating your inventory of endpoint devices and managing each via an endpoint security corporate policy.
Your strategy also needs to identify who owns the responsibility for maintaining the security of each endpoint device. In some cases, the answer is IT. In other cases, you’ll need a formal shared responsibility agreement. For example, your facilities team maintains your thermostats. What aspects of security will they be responsible for? And what will IT handle?
This can’t just be an exercise on paper—a document that sits on a shelf and collects dust. When there’s shared responsibility, both parties need to formally acknowledge they understand their role. And you need an oversight process that periodically audits security for each of the endpoint devices.
When organizations don’t plan for shared responsibility, security can fall through the cracks.
Actor Henry Winkler said, “Assumptions are the termites of relationships.” In my opinion, they also are the termites of cybersecurity. A good endpoint security policy clearly articulates who is responsible for the security of each device so there are no assumptions or oversights.T. Laskowsky
How does the cloud deployment model affect endpoint security?
TL: Here’s a rule of thumb to consider when planning your cloud strategy:
Complexity increases overall security risk and complicates endpoint security planning.
If 100% of your corporate resources live in a private cloud (single tenant = you), your endpoint security planning is easier than with a multi-tenant public cloud.
When you have part of your corporate resources in one spot—say, an on-prem data center—and the rest with a public cloud provider (a hybrid cloud approach), you need security planning for both sets of resources. The complexity of connecting the two increases the risk of security vulnerabilities. Same with multicloud, where you’re utilizing two or more public cloud providers.
Each of these models requires a different level of effort to manage security risk.
What are endpoint security best practices when the cloud is involved?
TL: Applying security controls to the endpoint is just one step. Organizations must also apply security controls to the critical resources, such as network, database, email systems, to detect and neutralize insider threats.
Second, corporations must beef up their detection of malicious behavior patterns in their infrastructure. This will help them respond to threats faster and isolate the internal threat agent quickly. This response can also update the security policy to enhance the security of all endpoint devices—features normally part of endpoint detection and response (EDR) solutions.
Third, have strong ingress (protection from incoming attacks from endpoints on the Internet) and egress (protection from exfiltration of data from the corporate network) filters. The best move: pair egress filtering, also known as DLP (data loss prevention) solutions, with endpoint security.
Fourth, apply attribute-based access control so that if an end user is connecting using an approved device with endpoint protection implemented from an approved location (i.e., attributes), they’re given greater access compared to those accessing the Internet using non-standard devices.
And finally, continue to use traditional protection of the endpoint itself if possible. We’re talking solutions such as strong encryption, anti-malware detection, host-based firewall, host-based intrusion detection and prevention, and remote-wiping capability.
How do cloud providers help with endpoint security?
TL: Your stakeholders entrust you to protect their data. So, you need to own your security plan. While major cloud providers offer various endpoint security solutions, it’s vital to think of cloud security as a shared responsibility managed by you. Your organization’s reputation is on the line. You have bottom-line responsibility for security.