The end of the perimeter has brought fresh challenges in the rush to go mobile. How can enterprises make it work? By Mark Mayne.
Edpoint security is undergoing rapid change. Once the preserve of desktop security packages and software firewalls, the explosive adoption of consumer devices within enterprises has forced a radical rethink of what endpoint security is. As pressures on staff and technology have increased, mobile working has become commonplace, and often the tools for the job have become externalised and out of the reach of IT managers. BlackBerrys, iPhones and assorted smartphones are now in the hands of almost every manager in every business – but are they properly secured?
There are two main schools of thought. Securing these consumerised devices, most with their own wireless broadband connectivity, is a weighty task – without simply banning everything but internal desktops. The first school contends that every device should have a security client in place – to mitigate threats before they can breach the extended network perimeter that the device represents. The second school of thought says, trust it all to cloud computing. There is a third school: trust Apple or RIM – but that doesn't cut it in the corporate world.
Richard Jacobs, chief technology officer, Sophos, surveys the field: “The traditional definition of endpoint security has been challenged in two ways – by increased productivity through mobile working, and by the need to reduce costs. We believe that there is a need to take security to the endpoint, to the users themselves. You simply can't stop users from using iPhones, and similar devices, and the trick is not to try.”
Caroline Ikomi, security engineer manager, Check Point, agrees: “The endpoint is changing, and security companies need to reflect this. In the short to medium term, we see widespread deployment of endpoint clients, allowing local encryption and AV/firewall control as the first step, alongside centralised controls interfaces for these clients.”
The growing demands of a mobile workforce will place harsh demands on a client-based security system. Advocates of NAC, for example, would point to such an architecture as the answer to endpoint issues, but this structure becomes hard to enforce when unknown devices are connected. Two of the most popular of these, the BlackBerry and the iPhone, are based on proprietary code, and few third party security vendors have developed products for them. This lack of oversight can be a concern for business.
Gunter Ollmann, chief security strategist, IBM ISS, believes that such devices are the next major battleground. “It has only been in the past 18 months that we have seen mobile customers begin to adopt a practice of patching and updating their smartphones. Previously, OS updates were almost never applied – and smartphones were open to security vulnerabilities for years at a time. At ISS, we studied a wide range of handsets, and in several popular models found serious security vulnerabilities. Some of these problems concern the underlying radio standards that the handsets are built on, so are likely to be widespread.”
Data breaches have pointed to the importance of encryption at endpoints that contain business data, and growing numbers of businesses are adopting encryption technologies. However, Amrit Williams, CTO of BigFix, is sceptical of the business case. “Encryption is a great boon, as long as the data is at rest. That covers theft or casual loss of the device, which is one loss case out of many – it really doesn't cover anything else.”
Ollmann is also concerned about the lack of attention paid to ‘tethering' of smartphones. “Even larger enterprises are yet to publish policies dealing with smartphone use. Bridging technologies between the smartphone and corporate HQ – such as Bluetooth and USB – provide a handy route for attackers. As cellular network speeds increase, this soft vector for attack will become popular. There hasn't been enough consideration of the dangers of bridging networks – even though the technology and user requirement to do so are commonplace.”
Additionally, mobile working has driven a rush away from the typical desktop to a more flexible laptop setup, and home working has increased the numbers of non-business-related desktop PCs accessing corporate systems remotely.
Ensuring that endpoints such as these are secure is a herculean task. Deploying strong two-factor authentication is part of the puzzle, but far from a total solution. Ensuring that the corporate laptops are running anti-virus/firewall and encryption is a vital step, but this still leaves a variety of vulnerabilities.
This is where the second school of thought comes in – cloud computing and, ultimately, desktop virtualisation. Cloud computing is everywhere right now, and everyone, from traditional AV vendors through to sales CRM system firms, claims to be involved. The benefits can include huge cost savings, but the downsides can be considerable. Says Williams: “The hype must surely have reached a peak by now. It seems a lot of people are confusing the cloud concept with the internet itself.”
A recent IDC survey found that 74 per cent of IT executives and CIOs cited security as the top challenge preventing their adoption of the cloud services model. However, Ollmann also believes that this response is down to a lack of clarity: “There is a lot of media attention about ‘cloud security' – in particular, confidentiality and trust – but much of this distrust can probably be attributed to confusion over what's happening. You'll often hear people discuss the spectre of not knowing where their data is within the cloud, and how it's not under their physical control. Meanwhile, they've outsourced critical customer and code development practices to the lowest bidder for the past half-decade.”
Jacobs adds: “Moving to the cloud is a general trend in corporate IT. Lots of people advise doing all your anti-virus detection in the cloud, for example. However, adopting this stance wholesale can lead to weaker, generic security policies and can also lead to difficulties getting updates out. The real question that should be asked here is: ‘Does moving process x to the cloud provide effective security?' ”
Some of the benefits of cloud services in general include lower resource demands on the endpoints themselves and a simpler, centralised update system. In spite of this, Jacobs believes the model needs optimising: “Spam and web malware product updates are increasingly getting too big to push out to multiple devices, and this needs an elegant solution. The web security question is an interesting case – appliances work well in a corporate environment, but are ineffective for roaming users. The only way road warriors can use this type of protection is to route all traffic through HQ, which is prohibitively slow, as traffic has to come down onto the endpoint, then back into the cloud. The current model doesn't make much sense.”
Williams is confident a cloud model holds many of the answers, but that the central question is about control and visibility, rather than security minutiae. “The loss of visibility is a huge problem, and one that needs to be addressed for the market to mature. The key is that an individual business can't change any settings. The best-case scenario is a good SLA, but this only provides a process, rather than a hands-on recourse in the event of a problem.”
The possibility of desktop virtualisation as the ultimate cloud-based service is an exciting one. Instead of worrying about the endpoint per se, the company should provide a browser-based secure desktop, goes the argument. Theoretically, this would ensure that any device, from internal Mac through to internet café PCs and iPhones, would be policy-controlled and secure. So is the return of the thin client assured for good?
Jacobs believes this is the way forward, but just not yet: “Virtualisation of the desktop will enable secure access through a wide range of devices, and will allow cost reduction as well as retaining control of the infrastructure. Additionally, the cost of managing desktops would be mitigated – there shouldn't be such a need to spend so much on managing Microsoft. However, it's a very expensive process to begin, and I don't see it coming of age for three to five years.”
In spite of his enthusiasm for the technology involved, Williams also believes that the barriers to entry are high: “Organisations need to tread carefully here, and move non-critical applications into the cloud first. Once trust has been established and reputations made, then the concept of virtualisation will sit better – you don't want to be the first business to make a mistake here. Also, in some cases, the cost of implementing virtual desktops is up to ten times the cost of managing physical environments and there is almost zero improvement in security or operational efficiency. Desktop virtualisation is not the magic bullet you are looking for.”
Securing the endpoint will be one of the most critical issues for security professionals over the next few years. The spectrum of technology involved is huge, and genuinely securing the business-critical mobile devices of today calls for far more than a simple AV licence or some encryption software.
How long it will be before the virtualisation movement takes off is uncertain, but it seems a potential solution to a complex series of issues – watch this space.
The future of endpoint
As consumerisation of technology gathers speed, the rate of digital change will continue apace. Content and services will be consumed in as yet unknown ways, driven by consumers at the cutting edge of mobile technology. The explosion in iPhone apps may point the way, with always-on feeds hooked into a variety of media providing a personalised digital experience. Launches such as Google's Latitude show that location-based services are coming of age, and the technical interface work will soon be widely available.
The days of a mobile device consisting of a screen and keyboard are already gone. Touchscreens are ubiquitous, and the era of wireless, “wearable” devices is around the corner.
This heady combination will be accompanied by increased virtualisation in the business world. It seems to offer a panacea of browser-accessed secure desktops, complete with all the relevant policies for each employee. This solves one key problem, but creates many others. Implementing a full virtual environment is prohibitively expensive and complex. It offers a centrally managed model of access, and would make savings. Critically, it would allow employees to access systems through a browser on any device.
The key to enterprise security is unlikely to change – helping users to work effectively, employing a blend of security technologies.
The Obama BlackBerry
Email and US politics can be a dangerous mix, and the latest White House furore concerns President Obama's wish to use a BlackBerry to stay in the loop. “I'm still clinging to my BlackBerry,” he told CNBC. “They're going to pry it out of my hands.”
The potential security threat of a mobile device with the US president's email on it threw officials into disarray, and only recently was it confirmed that the president would continue to use his beloved device, but only for “personal” email.
It is likely that the president's BlackBerry may be a slightly different version, following a US Defense Department project to produce NSA-approved BlackBerry-esque devices.
The world's most valuable endpoint is to be subject to a series of additional policies, according to experts. Likely steps are to ensure that no classified data is stored on the device, and certainly not unencrypted, and restricting web browsing permissions. The president's email address will be kept private, known only to a select group of friends and advisers.
However, notorious hacker Kevin Mitnick told US media Obama's' device might still be attacked. He said a targeted email containing a link to a browser exploit would be one method of attack.
Case study: T-Mobile
One method of ensuring that all endpoints are under authorised control and that even unauthorised devices such as consumer mobile devices or home PCs are properly authenticated is to deploy a strong authentication solution, locking down external access to the corporate VPN and ensuring policy-driven access is enforced. Mobile operator T-Mobile chose this route to secure a roaming UK head-office workforce of more than 3,400.
One of the world's largest mobile operators, with the need to access internal systems remotely for business reasons, the company was also keen to be viewed as an innovator.
Darren Westmore, project manager, T-Mobile, said: “Three years ago, we heard about a two-factor mobile authentication product from SecurEnvoy that used SMS messages instead of traditional token-based codes. Both to optimise our own processes, and to espouse the potential of mobile technology, this product seemed to be a great fit.”
Previously, T-Mobile had used RSA tokens to authenticate remote access. Westmore said: “It was a simple business case – we compared the costs of adopting the new system against the yearly cost of replacing the RSA fobs.”
SecurEnvoy ran a three-year pilot, involving 5,000 T-Mobile staff. The solution interfaces with a customer's existing employee database, and sends an SMS with a six-digit number to each. This code – in addition to the usual username and password – allows access to business systems for a set period depending on the company's needs. SecurEnvoy founder Steve Watts said: “Some NHS trusts want each code to last just a few minutes, while their community care staff sometimes need a validity period of a week or more.”
Westmore says the scheme has many benefits: “It works well internationally, and has significantly cut down on admin and hardware costs. People are far less likely to lose their mobile phones than their secure ID, so it's a great fit.”