Q&A: Endpoint Security for Unknown Devices

How can IT managers secure endpoints over which they have no control?

How can IT managers secure endpoints they don’t control? That’s an important question, since current endpoint security discussions, including those about initiatives such as Cisco’s Network Admission Control (NAC) and Microsoft’s Network Access Protection (NAP), focus on ensuring known PCs meet minimum-security standards (such as the latest antivirus definitions, or an operational software firewall).

Yet truly improving endpoint security will also require vetting machines from other organizations, and business partners, over which an IT department might not have carte blanche control. To discuss assessing these so-called transient devices, Security Strategies spoke with Mark Elliott, vice president of product management for SSL VPN vendor Permeo Technologies Inc.

What’s missing in current endpoint security discussions?

One of the things that very few people talk about when they talk about endpoint security is how do you manage devices that you don’t know about?

More devices [today] are designed around extranet access—employees running [browsers] from home PCs, supply-chain partners, a customer or partner coming in from a kiosk. The safe assumption used to be … [for example] seven or eight years ago, when I was working at Checkpoint, and we were doing the original release of IPsec VPN, it was mostly just extending access to corporate
employees.…

Access into an enterprise now is so much more complex, and extending that access, using encryption and endpoint security, is really tricky.

So an endpoint security plan needs to also include provisions for dealing with unknown devices?

If you look at the endpoint-security universe, certainly securing transient users or transient devices, or devices that aren’t managed by IT, is a portion of that [paradigm]. … When we talk to enterprises, oftentimes the context is, how do we do this for devices we don’t control? We know who the person is, but we don’t know the machine. …

For example, imagine if you’re a company and you’ve got not only your employees accessing the network, but your third-party partners and so on, and you want to do a check on them as well. Well, what happens if their antivirus is out of date? Do you give them a subscription to update their antivirus signatures to get them out of the VPN quarantine?

I think unmanaged or transient devices—call them what you will—and trying to provide endpoint security services around them, are even more challenging than the thick blob of applications that are installed on an employee’s PC and managed by IT.

What are some ways of addressing endpoint security for transient devices?

Either companies are going to have to have some sort of agreement in principle with a business partner, to give them some sort of administrative rights over that machine, or they direct that partner to do certain things to that machine to improve its security. Or you need to use some sort of automated tools to apply those controls, but those tools need to be delivered on the fly, because you can’t expect those people to do a discrete installation. … Either that or someone is going to need to take advantage of whatever software inventory is on that machine.

But there’s still a policy element, and who’s going to set that policy element and how does that get to the machine? It’s a very complex challenge for anyone who extends information access to non-employees coming in on non-corporate assets … And to attain that, to date, a lot of people have used policies and procedures and contracts, but I think clearly having automated tools or technology would certainly improve that—the trust but verify concept.

Yet isn’t it difficult for organizations to guarantee how information is safeguarded once it’s on a remote machine?

There was [a recent] article about T-Mobile being hacked, a year ago. … Evidently a hacker just pleaded guilty to hacking into T-Mobile, and I’m guessing he got onto some machines, I’m guessing they held e-mail, and he grabbed about 400 Social Security numbers, and also some … information from a Secret Service agent. … There was an interesting paragraph in that article that said the Secret Service has a policy that doesn’t allow their information to go … to third-party machines. So there’s a very good example of information jumping from an IT-managed machine; it’s leaked out onto other devices. Even though there was a policy in place, there wasn’t a tool to help enforce that policy. And I think you will see policies that begin to address those.

Now, more of our customers are starting to follow the link from the user to the information-access chain. I think some of this is driven by the regulatory side—HIPAA and Sarbanes-Oxley.

Traditionally in IT, it’s been about encrypting the data that’s delivered over the network, when really, that’s only the first element in securely delivering information to the user, and even more importantly, ensuring that data is disposed of when the user is done with it. I mean, there are document shredders, there are bonded companies for document disposal. [But on the PC], is it cached, is there spyware copying it off someplace, does it linger in a temp file, is it printed? I’m seeing more and more interest from companies, to follow the information from end to end.

So regulations are helping drive this shift?

They’re really starting to focus a spotlight on information, rather than just what kind of encryption the SSL VPN uses; it’s a bigger issue than that, and really about following information delivery, consumption, and the whole life cycle, if you will.

How do SSL VPNs play into that?

If SSL VPN vendors don’t provide that solution, or integrate with solutions that allow you to do more than just delivering encrypted data to these other endpoints, then they’re not going to be successful going forward. …

And [today] we’re really seeing some demands for going from just hosting to quarantining … and there are other elements that come into play. When a device connects to the network, we want to know. We also need to make sure information is disposed of, for example.

How can an SSL VPN dispose of information left from a browser session?

In the very simplest case, there are products on the market now that will cleanse the browser cache. That’s a … first step for making sure there aren’t remnants of that session left on the browser—whether it’s a browser on a PC in a cyber cafe, or a kiosk at a technology conference.

What’s the danger?

That spyware would go and do a crawl and find machines that aren’t very secure, perhaps like a kiosk machine, and perhaps walk around the session files, just looking around, kind of like electronic dumpster diving.

So, for example, spyware might troll for numbers that look like Social Security numbers?

Exactly. There’s some of that out there already; there are some Web security vendors that will look for Social-Security-like formats and try to cleanse those.

Is there a crossover with ActiveX browser controls, or even digital rights management?

[Yes] … at least for the customer base and enterprises that we serve. So many of them [have] unmanaged devices accessing their information that [a software control] has to be either ActiveX or Java. Really, it’s about transient security services—[security software is] there, it does its work while the person is accessing the network, and then it goes away—just because access is getting so much more complex.

Related Articles:

Untangling Endpoint Security Initiatives
http://www.esj.com/Security/article.aspx?EditorialsID=1230

Endpoint Security Grows but Interoperability Questions Remain
http://esj.com/enterprise/article.aspx?EditorialsID=1153

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.