Reducing risk at the endpoint: A practical framework
- By Simon Clephan
- Dec 12, 2018
Data privacy issues, for both government agencies and private enterprises, continue to be at the forefront of new initiatives to add more protection for individuals. These initiatives are taking shape in today’s environment of proliferating endpoint devices (including the internet of things), more cloud workloads and increased anxiety on the part of the public that current security practices aren’t working.
One of the newer initiatives is a cooperative project announced by the National Institute of Standards and Technology to develop a voluntary privacy framework to help organizations manage risk. “The development of a privacy framework through an open process of stakeholder engagement is intended to deliver practical tools that allow continued U.S. innovation, together with stronger privacy protections,” NIST Director Walter G. Copan said.
Contributions to the endpoint practical framework
Creating a framework for practical tools to further secure data privacy is encouraging. Within this framework federal agencies are tackling a number of challenges, two of the most immediate being the diversity of endpoint devices now in use and the need to ensure data privacy while moving more operations to the cloud.
The Continuous Diagnostics and Mitigation approach, which supports a four-phase method to better identify threats and mitigate risk, is another step in the right direction. After scrutinizing what is on a network, who is on the network and what is happening on the network, the last phase asks how data is protected. That question is one that keeps IT security staff up at night. Networks now contain a mixture of devices, including aging hardware, newer software assets and IoT devices. Most likely, an agency is managing assets with varying operating systems, access controls and monitoring in place. This creates an opportunity-rich environment for new threats to succeed.
Better security at the endpoint
All branches of the U.S. government are facing this complex challenge of getting a clearer picture of all assets affecting network security. Since the endpoint now entails so many different devices, security today requires even greater vigilance.
Tightening up security at the endpoint, therefore, necessitates a re-examining of hardware and software assets and reviewing options available to improve endpoint security while containing costs, preserving workflow performance and improving data security.
Here are five practical areas that will enhance endpoint security and further guard data privacy:
1. Hardware refresh. Options such as refreshing existing desktops to improve performance and security are costly and often a barrier to adopting more advanced endpoint technology. Look at less costly software options that can extend the life of existing hardware and convert these assets into modern, securely managed endpoints. It is possible to convert any x86-based machine into a fully functional, advanced thin client device that enables agencies to move to a virtualized desktop infrastructure and support modern security standards.
2. Endpoint visibility. Multiple types of endpoint devices and locations expand the attack surface, and are a recipe for increased threats. Endpoint management is the first defense against these risks. By instituting automated, centralized management with software tools, IT staff can manage endpoints in diverse operating systems and in remote locations. This centralization helps control against rogue devices and reduces the risk of a shadow IT-generated breach. In concert with thorough asset management, IT should have a complete picture of all endpoints in use -- with access to the network -- and be able to flag any anomalies to contain possible threats. Through automated backend control, IT can quickly configure specific, granular security policies, push out firmware updates according to policy rules and modify access policies as needed.
3. Linux rules. Linux is considered to have superior security and the support of legions of innovative developers. It also features an inclusionary, open-source model that promotes community testing of new apps and finds bugs before widespread deployment. Thus, Linux further helps prevent threats from becoming disruptive events. Linux products are known to be used by the Defense Department, the Navy, the Federal Aviation Administration and scores of other public-sector agencies in the U.S. and abroad.
At the endpoint, those devices running on a Linux OS, including the growing number of IoT and mobile devices, have the benefit of improved security features. Linux is very resistant to viruses and other malware, making it much more secure than Windows. It also enables IT staff to customize applications to provide direct updates and patches that have been tested for stability by endpoint developers.
Government agencies looking to refresh existing hardware assets with endpoint management software, or planning new acquisitions in software managed endpoints, should examine the benefits of Linux OS-powered endpoints as an effective threat defense.
4. Windows in the data center. Linux belongs at the endpoint where its OS can provide a secure, flexible computing environment that is highly resistant to attacks like malware. Windows, on the other hand, belongs in the data center, where it can be more effectively managed, protected from outside attacks and optimized for application and desktop delivery. On user devices, Windows is much more vulnerable to security threats, requires the latest hardware investments to deliver user-expected performance and is much harder to manage as workers roam about freely. Moving Windows to the data center will also benefit performance since the inevitable cycle of Windows patching and updates will no longer slow user productivity. Users would no longer have to wait while system updates or worry that their endpoint could be compromised with the latest ransomware. Plus, because endpoint workloads are moved from the endpoint to the data center, users will have faster logons, quicker application loading, more consistent operation and overall higher performance.
5. Enhanced user controls. To further ensure data privacy, agencies should look to the universe of access controls and authentication applications to add the next layer of security. Technology providers can provide digital identity assurance features at the endpoint that enable secure user authentication via smartcard readers. The technology uses identity, sign and encrypt certificates -- for government agencies a triple-play defense against unauthorized access to data. Additionally, access controls can be used to limit data and application access based on location. Remote and mobile devices can enable new threats as workers may be accessing files via unsecured Wi-Fi networks or out-of-network environments in the home.
Secure endpoints of the future
Gartner foresees double-digit growth in government use of public cloud services, with spending forecast to grow on average 17.1 percent per year through 2021. However, Gartner reports, data privacy/security, lack of features and concerns about vendor lock-in are still holding back adoption. These concerns, according to Gartner, will drive private cloud deployment.
Public or private cloud, the secure transmission of data between the endpoint device and the cloud is a priority. A recently published IDC InfoBrief, “Linux and the Thin Client Management Market,” states that “global cloud infrastructure expansion is driving growth in underlying endpoint hardware and software that facilitates cloud access in reliable and secure ways.”
As agencies plan more migration to the cloud, they must reassess their endpoint devices. This includes looking at a secure Linux OS and at centralized management as two elements that will improve data security. In the larger picture, it’s a good time for agencies to identify hardware assets that can be refreshed to more modern, secure endpoints, and if making new investments, they should consider a Linux-based endpoint OS. The secure endpoint of the future needs the resources of Linux’ open-source community that thinks ahead to the next technological breakthrough.
With users working from everywhere, using the cloud, tightening control over all devices and carefully adhering to authentication controls will help ensure data privacy while enabling users to have the freedom of device choice they expect today.