In-Depth

Five Steps to Enforcing Your Endpoint Security

Your security policy has to have teeth. Here's how to enforce your endpoint security policy.

• By Frederick Felman
• 09/08/2004

With these unprecedented access opportunities, PCs bring viruses, hackers, unpatched software, and unapproved applications into your network easily. Security incidents resulting from any of these threats cost time, money, and your company's reputation—not to mention your personal reputation as an IT professional.

Why is endpoint security posture frequently so poor, despite existing security investments such as antivirus and IDS, and corporate policies concerning patches or unapproved software? The truth is that the value of security policies and technologies is only theoretical if you can't ensure that they're enforced at all times.

To put it bluntly: security policy is all talk unless it has teeth—unless it can enforce compliance. Toothless is useless. Indeed, having a policy without enforcing it is worse than having no policy at all, as your false sense of security can make you complacent.

An Endpoint Policy Framework

The solution is to force compliance with policies as a condition for network access. In fact, that itself is your most fundamental policy. Here are four suggestions for constructing it:

1. Policy: Only properly configured and secured PCs may access the network.
   
2. Objective: Ensure confidentiality, availability, and integrity of endpoints and networks.
   
3. Standard: The PC must pass configuration check before and during access.
   
4. Guidelines: Leverage existing security and IT investments; maintain IT and end-user productivity.

Regarding the last point (about end-user productivity), keep in mind that remediation is as important as restriction. If you lock a user out, you've secured the network but caused a help-desk incident. You can't "just say no"—you still have to bring the user back into compliance so they can get back to work.

With this policy in place, network access is conditional on the secure state of the endpoint PC. Now you can move on to defining that secure state, and actually enforcing policy on your endpoints.

Steps to Endpoint Policy Enforcement

I suggest the following five steps to enforce your endpoint policy:

Step 1. Define the detailed policy. Define what endpoint integrity means for your enterprise. In other words, what specific policy elements do you need to enforce--that there's a functioning endpoint firewall? Up-to-date antivirus? Your initial objective is to reduce risk without IT impact. You don't need to make this definition perfect your first time out; it's an iterative process, as implied in step 5.

Step 2. Select and deploy tools. You'll need to select and deploy a solution that ensures that any endpoint that accesses your network complies with this policy. The solution must have a presence on every endpoint PC so that it can accept a centrally defined security policy, check the PC for compliance with all policy elements, and quarantine out-of-compliance machines until they're brought back into full compliance.

Furthermore, you need a solution that can't be disabled by end users, even if they have local administrative privileges on their PCs.

Finally, choose technology that provides an installed agent and works as an "agentless" solution. For example, solutions exist that dynamically download and run an ActiveX control on any PC that accesses a private network via a Web connection (e.g., SSL VPN or Outlook Web interface). This protects your network from PCs you directly control as well as from guest PCs.

Step 3. Create access rules and implement the restriction mechanism. Whenever possible, leverage your network gateways to restrict access based on integration with your policy enforcement solution. Using a gateway as a chokepoint ensures that the enforcement agent itself is installed and operating. Choose a solution that uses a non-proprietary implementation of an open standard, like 802.1x, to integrate with switches and other network gateways, in order to avoid vendor lock-in.

Step 4. Establish the self-service remediation process. Provide self-service resources for your out-of-compliance users to get back in compliance quickly so they stay productive and don't burden your support staff. The remediation process must be very easy for users to handle on their own, and they need to understand what's happening during remediation so they don't call the help desk. Like your endpoint technology, your remediation solution must itself be secure and unable to be bypassed.

Step 5. Monitor compliance and adjust your policy. Use your tools to check employees' compliance. Is their access often barred due to prohibited applications? Is frequent non-compliance of your mobile sales force due to overly restrictive rules? Security policies evolve and change over time. You'll mandate updated versions of applications, and perhaps you'll allow certain groups greater leeway—say, remote sales engineers who can be trusted with greater responsibility for their PC security.

Whatever policies you create for your unique environment, at least they'll now have bite.