Given the diversity of devices, combined with the wide assortment of users that now connect to an enterprise network, completely securing endpoints is virtually impossible. Various technologies, though, can help safeguard data stored on endpoints while protecting the network from devices that may be vulnerable to attack or already compromised. This technical tip looks at how network access control (NAC), data loss prevention (DLP) and robust data destruction helps in securing endpoints and prevents devices from putting enterprise data at risk.
What NAC does
NAC is a key technology for admission control; it's based on the overall security posture of a user and his or her device. Pre-admission security policy checks and the ability to automatically remediate noncompliant devices ensures each endpoint meets a minimum level of compliance before it can fully connect to the network. This not only ensures that endpoints are capable of protecting themselves from attack by malware, but also stops them from putting the rest of the network at risk. NAC can leverage user and device profiles in back-end data stores, such as LDAP, RSA and Active Directory. This enables routers, switches and firewalls to work together to determine who and what is trying to connect to the network and assign the appropriate access. It also provides a greater coordinated defense-in-depth with security controls that are able to share their knowledge of network and device behavior.
NAC products can provide quite detailed information about the status of an endpoint security system by asking these questions: Are all necessary patches applied? Is hard-drive encryption enabled? Is the host-based firewall running? Which ports are open? While answering these concerns, and more, context-aware capabilities provide ongoing protection during each network session. Support for more specialized equipment -- such as point-of-sale systems, kiosks, supervisory control and data acquisition systems that may connect to the network -- is also important, as is integrating NAC with mobile device management technologies so that the security status of mobile devices can also be checked.
Securing endpoints with DLP
While NAC can keep endpoints compliant and control their access to resources, DLP technologies protect data on endpoints from unauthorized attempts by careless or malicious users trying to copy or share it. DLP tools use deep content filtering to inspect and control the data a user or device is trying to download, copy, print, share or transfer to both prevent unauthorized use and stop sensitive data from leaving the network. This provides real-time data protection as user accounts can be automatically disabled or devices quarantined as soon as a suspicious data transfer (i.e., large uploads or downloads, odd login times, and so on) begins.
They can either be standalone or cloud-based tools or integrated into an existing endpoint security system. Extending data loss prevention to mobile devices, whether corporate- or user-owned, usually requires some form of mobile device management product. Many of these also ensure that data on mobile devices is always encrypted.
Required: Data destruction policy
Encryption should of course be used on all endpoints, but the less sensitive data left on endpoints, the better. The turnover of network endpoints has never been higher, and securing endpoints with data-destruction polices need to be applied to all devices that have the ability to store data. Correctly sanitizing an endpoint's drive or flash storage when it is reassigned or decommissioned is essential in order to destroy all the electronic data on it; normal file deletion commands only remove pointers to the data, which means it takes only a trivial effort, using common software tools, to recover the actual data.
Reducing the number of endpoints holding forgotten copies of classified information reduces the chances of them leaking or exposing enterprise data. Combining robust data destruction with NAC and DLP technologies will greatly improve overall attempts for securing endpoints and the data they store or process.
Read more on endpoint security fundamentals and explore some antimalware tools