Sysadmin blog So you want to know about security? Well you have come to the right place. I have been here for a while and I can tell you that outside these gates it’s full of cowboys, sharks and pirates, none of whom will hesitate to take what is yours and call it their own.
The above is is a quote from a brochure I wrote in an attempt to connect with small and medium-sized enterprises (SME) owners and CEOs on the topic of endpoint security.
It wasn't my best work ever, which might explain why it never saw the light of day. But the point I tried to get across is as important now as it was when I wrote it five years ago: you need to protect your endpoints.
Other people's property
Protecting endpoints is not just about locking down your company network or securing your gateways and edge devices. These days, given the multitudinous and ever-expanding gamut of devices we need to support, we have to broaden the notion of an endpoint.
For my money, anything on your network that is potentially exposed to the internet counts as an endpoint.
It used to be a lot simpler. In days gone by it was enough to simply block internet access through the corporate network. You could buy and install the mother of all firewalls and disable all user-accessible physical ports on their desktops.
Those strategies just aren't enough any more, given the consumerisation of IT and the rise of BYOD (bring your own device). Now, we have to contend with working out how to lock down a device we do not own.
Allowing data access on a device owned by a user is a sysadmin's worst nightmare. How certain are you that they aren't infected with the latest version of the zombie-making plague? How much do you trust that smarmy vendor who sold you the bargain-basement endpoint security software?
How much do you trust the users not to try to surf porn during their lunch break?
Do you trust the users to actually take an active role in managing their security? Really? How much do you trust them not to try to surf porn during their lunch break?
In a perfect world, most IT departments would already have identified the risks and mapped out strategies for dealing with these threats and eventualities.
But few SMEs have an IT department. Those that do often don't have a sysadmin or lack the resources to run testing. When you are dealing with an SME, you need a single strategy that can be tested and implemented easily and that will work for everyone.
Count to three
I have found that a three-point defence is generally the best way to go, but which three prongs? I am so glad you asked.
The first is exclusivity. Allowing everyone from the CEO down to bring in their own devices will overwhelm what finite resources an SME has to deal with this.
Nobody for whom this isn't a business-breaking imperative gets to play BYOD. This isn't just about the threats that they can introduce to your business, though. It is also about the additional costs in licensing that you may incur.
Thinking about BYOD because it is supposed to be cheaper? You might want to check the fine print on your current licences, and the additional ones you may need to purchase. Exclusivity just makes sense from every angle.
The second prong is locking everything down. In each company I work with all static endpoints are treated as untrusted, so when adding mobile and BYOD endpoints we treat them no differently.
This is just good security policy. Everything that can run standalone endpoint security gets it. Anything that can't do this is barred from access to the internet, direct or indirect.
If you are in any company large enough to have a server, you should be running a unified threat management appliance, whether physical or virtual. Take advantage of your ability to white- and blacklist sites. This will save your ASCII more often than you might think.
Together but apart
The third prong can be the most difficult to implement, yet it is the most important. You need a network architecture that is segmented, segregated and restricted.
This used to be hard – especially in SMEs where multiple switches and possible points of failure were anathema – but it is becoming simpler with the rise of virtual networking.
Every mobile endpoint, regardless of whether it is owned by the company or not, gets segmented and segregated as much as is humanly possible.
Virtual private networks are a great start for external access by mobile and BYOD, but they should not constitute the entirety of your mobile endpoint security solution.
Security does not happen by chance; you have to make it happen. The rise of BYOD and a more mobile workforce has forced goalposts to move at an ever-increasing rate.
It is not too late to catch up, though, and with the right strategies you can even get ahead of the curve. ®