Video Screencast Help
Encryption Blog

What Is Really Needed for Endpoint Protection

Created: 26 May 2009 • Updated: 05 Nov 2012
Shilpi Dey's picture
0 0 Votes
Login to vote

sdeyShilpi Dey - Product Marketing Manager

There is no doubt that firewalls are no longer sufficient as the sole security strategy of choice. Whether it’s your telecommuting employees, consultants, vendors, or your sales force in the field, securing those endpoints is more crucial than ever.

It seems everywhere you turn, there is a new endpoint solution or better yet, an endpoint security suite that is sure to make you, the security administrator’s, life easy with a comprehensive endpoint protection offering. Most of these solutions offer anti-virus, host intrusion prevention, VPN, and data encryption all rolled into a convenient client and centrally managed by the same administration interface. These solutions are often tempting to procure and deploy, especially given the fact that there are fewer clients to manage, and a single administrator (usually the desktop administrator) can conveniently manage all those laptops and desktops using the same portal. Appears less burdensome and inexpensive on the surface, right? Well, not quite.

One of the key points to remember when deploying any security solution is separation of duties. When it comes to security, it is essential to not have the same administrator or group have all the keys to the kingdom. What happens if that administrator falls ill, or is off on vacation when a user forgets their passphrase to their encrypted laptop? The single endpoint solution provides a single point of failure for many scenarios like malicious intent, accidental data loss, and more.

Additionally, any endpoint solution that is deployed has to take into consideration the myriad of devices each and every one of us has come to rely on as being essential to being productive at work. These devices range from the USB sticks and CDs containing data we share with our colleagues and partners, to smart phones that we rely on for everything from corporate email to those financial spreadsheets.

The solution is not to clutter the user’s system with every type of endpoint solution out there either. Instead, one approach could involve separating data protection from network protection. The benefits of this are many fold. Data protection is usually achieved by strong encryption and granular control. In the case of a disclosure event or audit, the knowledge that come what may, sensitive corporate data is safe from accidental or malicious theft, and more importantly, can be demonstrated that the data was protected goes a long way in staying compliant, and preventing corporate and human distress.

Data protection is not just a matter of slapping on a disk encryption or file encryption solution. Instead, it should involve a risk assessment strategy that involves identifying endpoints on the network, and devices connected to these endpoints – i.e., laptops, desktops, removable devices such as USB drives, CDs, DVDs, etc. Once all data at risk is identified, a risk mitigation strategy that identifies and assesses device usage, users, machines, etc., should be put in place. This sets the groundwork for a sound data protection corporate policy that involves not only the endpoint encryption and access control components, but also the overall data protection and key management components. Bottom line, the next time you’re tempted to throw in the kitchen sink into endpoint protection, make sure you remember there’s also a bigger house to think about.