Once the preserve of desktop security packages and software firewalls, the explosive adoption of consumer devices within enterprises has forced a radical rethink of what endpoint security is.
As pressures on staff and technology have increased, mobile working has become commonplace, and often the tools for the job have become externalised and out of the reach of IT managers.
BlackBerrys, iPhones and assorted smartphones are now in the hands of almost every manager in every business - but are they properly secured?
There are two main schools of thought. Securing these consumerised devices, most with their own wireless broadband connectivity, is a weighty task, without simply banning everything but internal desktops.
The first school contends that every device should have a security client in place to mitigate threats before they can breach the extended network perimeter that the device represents.
The second school of thought says, trust it all to cloud computing. There is a third school: trust Apple or RIM - but that doesn't cut it in the corporate world.
Richard Jacobs, chief technology officer at Sophos' UK offices, surveys the field:
"The traditional definition of endpoint security has been challenged in two ways; by increased productivity through mobile working, and by the need to reduce costs.
"We believe that there is a need to take security to the endpoint, to the users themselves. You simply can't stop users from using iPhones and similar devices, and the trick is not to try."
Caroline Ikomi, security engineer manager, Check Point UK, agrees: "The endpoint is changing and security companies need to reflect this. In the short to medium term we see widespread deployment of endpoint clients, allowing local encryption and AV/firewall control as the first step, alongside centralised control interfaces for these clients."
The growing demands of a mobile workforce will place harsh demands on a client-based security system. Advocates of NAC, for example, would point to such an architecture as the answer to endpoint issues, but this structure becomes hard to enforce when unknown devices are connected.
Two of the most popular of these, the BlackBerry and the iPhone, are based on proprietary code, and few third party security vendors have developed products for them. This lack of oversight can be a concern for business.
Gunter Ollmann, chief security strategist at IBM ISS in the UK, believes that such devices are the next major battleground. "It has only been in the past 18 months that we have seen mobile customers begin to adopt a practice of patching and updating their smartphones.
Previously, OS updates were almost never applied. Smartphones were open to security vulnerabilities for years at a time. At ISS we studied a wide range of handsets and in several popular models found serious security vulnerabilities.
Some of these problems concern the underlying radio standards that the handsets are built on [and] so are likely to be widespread."
Data breaches have pointed to the importance of encryption at endpoints that contain business data and growing numbers of businesses are adopting encryption technologies. However, Amrit Williams, CTO of BigFix, is sceptical of the business case.
"Encryption is a great boon, as long as the data is at rest. That covers theft or casual loss of the device, which is one loss case out of many. It really doesn't cover anything else."
Ollmann is also concerned about the lack of attention paid to tethering smartphones. "Even larger enterprises are yet to publish policies dealing with smartphone use.
Bridging technologies between the smartphone and corporate HQ - such as Bluetooth and USB - provide a handy route for attackers. As cellular network speeds increase, this soft vector for attack will become popular.
There hasn't been enough consideration of the dangers of bridging networks, even though the technology and user requirement to do so are commonplace."
Additionally, mobile working has driven a rush away from the typical desktop to a more flexible laptop setup. Home working has increased the numbers of non-business-related desktop PCs accessing corporate systems remotely.
Ensuring that endpoints such as these are secure is a Herculean task. Deploying strong two-factor authentication is part of the puzzle, but far from a total solution.
Ensuring that the corporate laptops are running anti-virus/firewall and encryption is a vital step, but this still leaves a variety of vulnerabilities.
This is where the second school of thought comes in - cloud computing and, ultimately, desktop virtualisation. Cloud computing is everywhere right now, and everyone, from traditional AV vendors through to sales CRM system firms, claims to be involved.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
