Belt and braces: covering all the endpoint security angles

Given users have skipped beyond the safe confines of wholly owned and heavily guarded corporate networks, how do you keep data safe?

The question of how to keep user computing secure is a complex one because of the proliferation of device types, the places users are when they use them and the networks with which they connect.

Making matters worse is the issue of device ownership. A recent Quocirca report, Getting to grips with BYOD, shows most organisations now accept user-owned devices will at some stage be used, at some level, for work purposes. The bring your own device (BYOD) trend looks like it is here to stay.

So where to start with making all user computing as secure as possible? A chief information security officer (CISO) once told Computer Weekly their organisation’s starting point was to regard all devices as potentially hostile, regardless of ownership – that’s not a bad idea, as once a “good” device has been compromised, it can soon become a bad one.

However, other considerations must also be taken into account, in particular the degree of control that can be asserted over a device.

Managed and unmanaged devices

Managed devices are those the organisation owns and can do what it likes with, even though the custodian may be one of its staff. Applications can be installed, software licence use controlled and punitive measures, such as device wiping, put into effect when devices are lost.

A granular approach is necessary. The measures taken for a marketing staff member’s laptop will be different to those appropriate to a field service engineer’s mobile device or a health worker’s tablet. Devices that stay firmly behind the firewall, including virtual desktops, will be treated differently to those that never go out the office

Unmanaged devices are those owned by employees or users from third parties and are harder to impose control over. In some cases, permission may be sought to install software on user-owned devices, so they are part-managed; however, this cannot be open-ended, as unknown numbers of licences will be needed and the chosen security measures may not be available for all the device types and operating systems required.

Data first

If controls are applied to data itself, then the device is less important – whether it is managed or unmanaged. Effective data controls require an organisation to have a good knowledge of its data assets, in particular intellectual property (IP) and regulated data. Acquiring this level of knowledge is a core capability of some of the product categories reviewed in this article, which fall into two main groups: Centralised controls and
on-device controls.

For each group, the level of protection applied to data and the applicability of each control to managed and unmanaged devices are discussed. No one technology or supplier provides all the protection a given organisation will require; most will need a mix of approaches. As always with information security, when it comes to user computing, a layered approach is necessary – it’s time to tighten the belt and pull up the braces.

Centralised controls

With centralised controls, the aim is to protect data and/or devices, often without the need for any software installed on devices. When this is the case, such controls apply to both managed and unmanaged devices.

Network access control

Network access control (NAC) is primarily a network defence, controlling which devices have access. However, it also has a role to play in maintaining the hygiene of user devices. Whenever a 

As always with information security, when it comes to enduser computing, a layered approach is necessary

managed device attempts to attach to the home network, NAC can ascertain its security status and take necessary action. NAC products that can operate without pre-installed agents can extend controls to unmanaged and unknown devices. Suppliers include the network majors – Cisco, Juniper and Aruba – and specialists such as ForeScout, Bradford Networks and Portnox. The 2013 Quocirca report, Next-generation network access control, looked at some of the real-world uses cases for NAC.

Data loss prevention

Data loss prevention (DLP) monitors data in transit over networks to prevent it ending up in the wrong place. The main aim is to prevent the theft and careless use of data. DLP also has a role to play when it comes to user computing, as rules can be set for which users have the rights to access what data from which devices and where. All the leading DLP suppliers have been acquired by larger security suppliers including CA, Symantec, Websense, EMC/RSA, McAfee and Trend Micro.

Digital rights management

Digital rights management (DRM) applies controls to data, even when it has been copied to a user’s device. This is achieved through linking access to an online policy server. For example, a user may be able to read a document on a device but not print it, forward it or copy. Another recent Quocirca report, What keeps your CEO up at night? looks at the use of DRM to prevent data misuse. Microsoft has DRM capability embedded in several products. A host of smaller suppliers take a user-centric approach to DRM, such as Fasoo and Verdasys.

Endpoint management and mobile device management

For completeness it should be pointed out that making sure the system and security software installed on managed devices is kept up to date is an essential part of securing user computing. This is the role of endpoint and mobile management tools, and is especially important if automated operating system updates are not switched on.

Security information and event management

Security information and event management (SIEM) is not an endpoint management technology in itself. However, it does have two important contributions to make. First, it allows the behaviour of applications and users on endpoints to be reviewed in a broader context. For example, two access requests by the same user from different devices being made from widely separated locations in a short space of time can be identified as an issue. Second, many user security tools can provide a feed to SIEM and forensics systems when investigations are being made following an incident.

On-device controls

On-device controls are mainly applicable to managed devices. In many cases devices are compromised because they are lost or stolen. When a device ends up in the wrong hands the new “owner” will often just seek to reset and resell the device, with little interest in the data stored on it. However, asserting that this is likely to be the case will not satisfy regulators when sensitive data has been involved; better levels of assurance are required.

Device access controls

One of the most obvious protections that can be put in place is to require a password or stronger level of authentication (such as a fingerprint) for accessing a device. In differing ways, such controls are often built into operating systems and just need to be activated. However, a determined thief will generally find their way around device access controls.


When centralised controls (or lack of them) have permitted sensitive data to be stored on a device, local encryption should be used to provide protection. Encryption capabilities are embedded in most operating systems. Symantec PGP, SafeNet and others provide cross-system support. Encryption keys are often linked to device access controls so, if these are compromised, then so is the data. Furthermore, when the data is in use it is not protected, so users can still copy it and forward and malware writers often try to get around encryption by accessing data in use through memory scraping. Encryption can also be turned against users; ransomware encrypts data and demands a fee for the key.

Traditional antimalware

Random and opportunistic malware is still finding its way onto many poorly protected devices aiming to steal personal data, recruit to botnets or extort a ransom. Traditional antimalware products, from the major security suppliers and specialists such as Kaspersky, Panda, AVG and Avast, all help protect devices from random malware and blacklist known bad stuff. As well as defending against malware, many provide broader controls, for example limiting the use of USB devices.

Advanced malware detection

Individual users are increasingly targeted as part of broader campaigns to infiltrate organisations. Unique versions of malware may be used that are hard to detect using the signature-based techniques of traditional antimalware. Many suppliers have developed more sophisticated capabilities such as detecting malware-like behaviour. One approach is to test anything suspicious in a sandbox; FireEye and Trend Micro are two of the leaders in this area.


Why let anything run on a device unless it is known to be good? That is the philosophy behind whitelisting. Leading suppliers include Bit9, Lumension and, for Windows only, Microsoft AppLocker. Where there is good reason to limit user activity – for example, on point-of-sales devices and those of health visitors and field service engineers – whitelisting may make sense; for other users it will be too restrictive.


Another approach is to limit the resources that a program has access to, termed isolation. Here all instances of applications run in their own virtual machines. Authorised applications are granted access only to the resources they need. Two suppliers have emerged in this space, Bromium and Invincea. Another is Spikes Security, specifically focusing on isolating a user’s web browsing activity, which is one of the most common ways for malware to end up on devices.

Containerisation and secure desktops

For mobile devices, especially user-owned ones where a level of management control has been agreed by the user, it makes sense to partition a part of the device for corporate-specific activity. This is the essence of containerisation; the leading suppliers include Good Technology and VMware’s AirWatch. Virtual desktop technology is also being adapted for use on mobile devices, which provides a similar level of protection. A final approach is to create boot-secure desktops from USB devices by using Windows to Go; Microsoft-certified suppliers include IronKey and Spyrus.

Bob Tarzey is an analyst at Quocirca

Read more on Endpoint security