This page has moved to a new address.

Creating a network endpoint security policy for hostile endpoints

body { background:#aba; margin:0; padding:20px 10px; text-align:center; font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif; color:#333; font-size/* */:/**/small; font-size: /**/small; } /* Page Structure ----------------------------------------------- */ /* The images which help create rounded corners depend on the following widths and measurements. If you want to change these measurements, the images will also need to change. */ @media all { #content { width:740px; margin:0 auto; text-align:left; } #main { width:485px; float:left; background:#fff url("") no-repeat left bottom; margin:15px 0 0; padding:0 0 10px; color:#000; font-size:97%; line-height:1.5em; } #main2 { float:left; width:100%; background:url("") no-repeat left top; padding:10px 0 0; } #main3 { background:url("") repeat-y; padding:0; } #sidebar { width:240px; float:right; margin:15px 0 0; font-size:97%; line-height:1.5em; } } @media handheld { #content { width:90%; } #main { width:100%; float:none; background:#fff; } #main2 { float:none; background:none; } #main3 { background:none; padding:0; } #sidebar { width:100%; float:none; } } /* Links ----------------------------------------------- */ a:link { color:#258; } a:visited { color:#666; } a:hover { color:#c63; } a img { border-width:0; } /* Blog Header ----------------------------------------------- */ @media all { #header { background:#456 url("") no-repeat left top; margin:0 0 0; padding:8px 0 0; color:#fff; } #header div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #header { background:#456; } #header div { background:none; } } #blog-title { margin:0; padding:10px 30px 5px; font-size:200%; line-height:1.2em; } #blog-title a { text-decoration:none; color:#fff; } #description { margin:0; padding:5px 30px 10px; font-size:94%; line-height:1.5em; } /* Posts ----------------------------------------------- */ .date-header { margin:0 28px 0 43px; font-size:85%; line-height:2em; text-transform:uppercase; letter-spacing:.2em; color:#357; } .post { margin:.3em 0 25px; padding:0 13px; border:1px dotted #bbb; border-width:1px 0; } .post-title { margin:0; font-size:135%; line-height:1.5em; background:url("") no-repeat 10px .5em; display:block; border:1px dotted #bbb; border-width:0 1px 1px; padding:2px 14px 2px 29px; color:#333; } a.title-link, .post-title strong { text-decoration:none; display:block; } a.title-link:hover { background-color:#ded; color:#000; } .post-body { border:1px dotted #bbb; border-width:0 1px 1px; border-bottom-color:#fff; padding:10px 14px 1px 29px; } html>body .post-body { border-bottom-width:0; } .post p { margin:0 0 .75em; } { background:#ded; margin:0; padding:2px 14px 2px 29px; border:1px dotted #bbb; border-width:1px; border-bottom:1px solid #eee; font-size:100%; line-height:1.5em; color:#666; text-align:right; } html>body { border-bottom-color:transparent; } em { display:block; float:left; text-align:left; font-style:normal; } a.comment-link { /* IE5.0/Win doesn't apply padding to inline elements, so we hide these two declarations from it */ background/* */:/**/url("") no-repeat 0 45%; padding-left:14px; } html>body a.comment-link { /* Respecified, for IE5/Mac's benefit */ background:url("") no-repeat 0 45%; padding-left:14px; } .post img { margin:0 0 5px 0; padding:4px; border:1px solid #ccc; } blockquote { margin:.75em 0; border:1px dotted #ccc; border-width:1px 0; padding:5px 15px; color:#666; } .post blockquote p { margin:.5em 0; } /* Comments ----------------------------------------------- */ #comments { margin:-25px 13px 0; border:1px dotted #ccc; border-width:0 1px 1px; padding:20px 0 15px 0; } #comments h4 { margin:0 0 10px; padding:0 14px 2px 29px; border-bottom:1px dotted #ccc; font-size:120%; line-height:1.4em; color:#333; } #comments-block { margin:0 15px 0 9px; } .comment-data { background:url("") no-repeat 2px .3em; margin:.5em 0; padding:0 0 0 20px; color:#666; } .comment-poster { font-weight:bold; } .comment-body { margin:0 0 1.25em; padding:0 0 0 20px; } .comment-body p { margin:0 0 .5em; } .comment-timestamp { margin:0 0 .5em; padding:0 0 .75em 20px; color:#666; } .comment-timestamp a:link { color:#666; } .deleted-comment { font-style:italic; color:gray; } .paging-control-container { float: right; margin: 0px 6px 0px 0px; font-size: 80%; } .unneeded-paging-control { visibility: hidden; } /* Profile ----------------------------------------------- */ @media all { #profile-container { background:#cdc url("") no-repeat left bottom; margin:0 0 15px; padding:0 0 10px; color:#345; } #profile-container h2 { background:url("") no-repeat left top; padding:10px 15px .2em; margin:0; border-width:0; font-size:115%; line-height:1.5em; color:#234; } } @media handheld { #profile-container { background:#cdc; } #profile-container h2 { background:none; } } .profile-datablock { margin:0 15px .5em; border-top:1px dotted #aba; padding-top:8px; } .profile-img {display:inline;} .profile-img img { float:left; margin:0 10px 5px 0; border:4px solid #fff; } .profile-data strong { display:block; } #profile-container p { margin:0 15px .5em; } #profile-container .profile-textblock { clear:left; } #profile-container a { color:#258; } .profile-link a { background:url("") no-repeat 0 .1em; padding-left:15px; font-weight:bold; } ul.profile-datablock { list-style-type:none; } /* Sidebar Boxes ----------------------------------------------- */ @media all { .box { background:#fff url("") no-repeat left top; margin:0 0 15px; padding:10px 0 0; color:#666; } .box2 { background:url("") no-repeat left bottom; padding:0 13px 8px; } } @media handheld { .box { background:#fff; } .box2 { background:none; } } .sidebar-title { margin:0; padding:0 0 .2em; border-bottom:1px dotted #9b9; font-size:115%; line-height:1.5em; color:#333; } .box ul { margin:.5em 0 1.25em; padding:0 0px; list-style:none; } .box ul li { background:url("") no-repeat 2px .25em; margin:0; padding:0 0 3px 16px; margin-bottom:3px; border-bottom:1px dotted #eee; line-height:1.4em; } .box p { margin:0 0 .6em; } /* Footer ----------------------------------------------- */ #footer { clear:both; margin:0; padding:15px 0 0; } @media all { #footer div { background:#456 url("") no-repeat left top; padding:8px 0 0; color:#fff; } #footer div div { background:url("") no-repeat left bottom; padding:0 15px 8px; } } @media handheld { #footer div { background:#456; } #footer div div { background:none; } } #footer hr {display:none;} #footer p {margin:0;} #footer a {color:#fff;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { padding:0 15px 0; }

Tuesday, November 2, 2010

Creating a network endpoint security policy for hostile endpoints


Andrew Jaquith, Forrester Research
Rating: -4.25- (out of 5)

The enterprise security perimeter is quickly dissolving. Everything from company financials and source code emails to unstructured documents and other forms of data is circling outside the enterprise firewall on non-IT-controlled devices. Not surprisingly, Cambridge, Mass.-based Forrester Research Inc. has found that nearly half (47%) of North American and European enterprises have stated that implementing security requirements for third parties is a high or critical priority.

IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.

Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.

In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following: Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.

The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens. Client

Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices. Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only. Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.

One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.

Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.

The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.

About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
To rate tips, you must be a member of
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Labels: , , , , , , , ,


Post a Comment

Feel Free to Leave Your Comments/Thoughts Below

Links to this post:

Create a Link

<< Home