But technology team leader Laura Davis says mobile employees at Woolpert Inc., an 800-user architectural and engineering firm in Dayton, Ohio, were "ecstatic" when she installed Senforce Technologies Inc.'s Endpoint Security Suite on their notebooks. That's because previously Davis had flat-out disabled their wireless access out of fear that hackers could use it to access the Woolpert network while users were also linked via their wired connections.
Or, to be more precise, she had tried to disable the users' wireless access. "We had a formal policy, we had the hardware disabled, we had the operating system configuration locked down," she says. But savvy users found ways to go wireless anyway. Davis is now about 50 percent through a rollout of the Senforce suite to about 300 notebook computers. Senforce gives users legitimate wireless access when they're on the road but disables their wireless -- for sure -- when they have a wired connection to the Woolpert LAN.
Davis' experience shows how endpoint security can benefit both individual employees and their employers. Fearing everything from privacy regulations to malicious insiders, many companies are adding more protection to endpoints such as desktop PCs, notebooks and handhelds.
IT managers can lock down users' systems in ways that limit which applications they can run, where they can make a wireless connection and whether they can copy a file to a USB memory drive. "But all the users will hate their guts, because they won't get anything done," says Clain Anderson, director of security at Lenovo Group Ltd. in Purchase, N.Y., which acquired IBM's PC business last May.
By paying careful attention to the needs of users and choosing endpoint security tools carefully, IT staffs can avoid creating overly strict security policies and elaborate network-access rules, as well as spend less time dealing with false alarms and tweaking security configurations, say users, vendors and analysts.
Done right, endpoint security protects critical data without putting the squeeze on users' productivity or IT managers' already overloaded schedules.
Threats and countermeasures
An endpoint is any intelligent, network-aware device that is under the control of an end user and can be accessed from outside the organization. The most obvious threat is the ubiquitous mobile computer with a wireless connection. But even networked printers and copiers have enough processing power and storage to launch an attack.
Any intelligent device with an I/O port can be vulnerable, even to low-tech threats like theft. For Conrad Pearson, burglaries near his office in Lake Oswego, Ore., were the rude awakening. "We're in one of the more exclusive office buildings you can be in," he says. But several years ago, thieves stole computers and other items from nearby buildings. That set off alarm bells for Pearson, a financial adviser at Pearson Financial Group, a 30-person financial planning firm with 500 customers.
Since then, the firm has installed measures such as Centennial DeviceWall software from Centennial Software Ltd., which locks down employees' PCs so they can't copy information to flash memory drives, CD-ROMs or floppy disks. That helps secure customer information, which "would be a treasure trove" for identity thieves, says Pearson.
Countermeasures begin with the basics: antivirus and antispyware software and a firewall on every endpoint computer. The next step includes products, such as those used by Pearson, that allow administrators at a central console to lock down the applications or the physical devices a user can access on his machine and monitor attempts to bypass the controls.
The most ambitious and expensive strategy, usually used by larger organizations, is a network access control system that runs on servers or on network appliances and scans network traffic for attacks that enter the network through an endpoint. Such products may require a device to have the proper security patches and updates before accessing the network, determine when and how users can access a wireless network, and control the flow of traffic across the network to limit attacks. Whatever the approach, users don't want to be hamstrung -- and IT managers don't want to be overwhelmed by the work involved in managing them.
"If you're locking those [endpoint] systems down too much, it may interfere with the users' ability to perform their jobs," says Diana Kelley, an analyst at Burton Group in Midvale, Utah. "You've got to balance how tightly you're going to lock down those systems versus what users are not going to do if you're using a solution that forbids the installation of new software."
Fingerprint readers, which replace passwords with a finger scan, can increase security without making users' lives harder. Lenovo has sold nearly a million notebooks with such scanners, says Anderson. "The technology has evolved to the point where it is becoming more viable for mainstream mobile users," says Matt Wagner, senior manager of security and wireless product marketing at Hewlett-Packard Co.
Knowing that most end users don't have the time, interest or knowledge to decide which software or devices are safe to use on their PCs, some vendors instead focus on offering systems that support companywide security policies that make those decisions for the user. That, however, can shift the work from the user to the IT manager.
Easy on IT
Creating policies that determine what can and can't run on endpoints requires IT managers to figure out what software is really running in their organizations and which of those applications are really critical. Managers often don't realize how long it takes to create policies that reflect how employees actually use their systems and thus underestimate the cost of implementing security software, says Forrester Research Inc. analyst Natalie Lambert.
Implementing lock-down tools that rely on a "white list" of approved applications, for example, requires knowing and listing every application employees use. Locking down physical access to a machine by denying the use of a USB flash memory device, for example, might prevent a virus from spreading but also keep a user from legitimately sharing a file with a co-worker, says Lambert. Even when using a host-based intrusion-detection system that builds knowledge about normal network traffic, "you may need to run the program in learning mode for over a month to learn about what's going on in your environment," she says.
Then there's the ongoing work of watching for attacks and fighting them. When a virus took over student notebooks at the University of North Carolina at Chapel Hill and used them to spew spam, Mike Hawkins, associate director of networking, "stopped it dead in its tracks" by blocking such traffic at switches at the edge of the network. Using Enterasys Networks Inc.'s Dragon Intrusion Defense System, he was able to change the configuration of each switch without having to log into and out of each one. "I don't have enough people, and nobody has enough people" to make such changes manually, he says.
"Robust management is absolutely critical, because in a very large environment, you could be talking about 70,000 desktops you're managing," says Kelley. She recommends security tools that make it easy to not only deploy, monitor and reconfigure agents, but also do so over low-bandwidth connections or when the device is frequently disconnected from the network.
Customers are demanding security that is "simple, reliable and effective, and easy to maintain," says Brian Hazzard, director of product management at Bit9 Inc. in Cambridge, Mass. Bit9's Parity offering deploys agents that monitor endpoint systems for a "gray list" of unknown software, which the agent can either block or just monitor, based on policies set at a central administrator.
Ease of use drove Omgeo LLC to Bit9, says Javed Ikbal, chief information security officer at Omgeo, which processes trades in stocks, bonds and other financial assets. He has deployed Bit9 on almost 1,000 machines, including endpoint devices, production servers and servers for quality assurance on new applications. "Any product that is behavior-based requires constant tuning and maintenance to be sure it's capturing what it should capture," he says. Bit9 allows Ikbal "to lock down machines without taking too much maintenance from the user."
Educate and convert
No security tool will work effectively without cooperation from users -- and that requires educating them about the need for some limits on what they can do. When Pearson installed the DeviceWall software at Woolpert, general manager Denise Reinert told employees why new regulations -- and the need to protect their customers -- made it so important for them to safeguard corporate data. "That created a platform to have a conversation," she says, "and when people got to talking about it, [they] became very aware of how much we were at risk."
At Omgeo, "very comprehensive user communication" has helped melt user opposition, says Ikbal. "When Bit9 throws up a message that says, 'You're not allowed to execute this [software],'" the program points the user to a help desk Web site as well as the phone number of a help desk staffer, he says. For a couple of weeks after Bit9 was deployed, the help desk got two to three calls per day, but that has since dropped to zero.
"People feel strongly about what they can and cannot do" on their endpoint systems, Ikbal says. "It's up to us to educate the users, and we are doing that."
In the short run, such education is yet more work for IT managers, but in the long run, it can make life easier for everyone.
Sidebar
Printers gone wild
That innocent-looking printer in the corner might be gunning for you.
Because many printers and copiers have a processor, storage, an operating system and a network connection, they're as capable as a PC of launching an attack, says Mike Hawkins, associate director of networking at the University of North Carolina at Chapel Hill. Hawkins says he has seen "many, many" printers on campus used to store and download files or "used to launch attacks against other computers."
"We've found almost countless examples of where the compromise of an office productivity system, such as a printer or copier or fax, [is] used for illicit purposes," says John Rose, chief technology officer at network security vendor Enterasys Networks in Andover, Mass.
Preventing such attacks requires the same controls and monitoring as are used for PCs or servers. While copiers have inherently weak authentication, says Rose, strict policies limiting the bandwidth they can access and the network protocols they can use make them operate a less like PCs and thus a less attractive target. Other options include "placing them in a protected [virtual LAN] or behind a network gateway," says Burton Group analyst Diana Kelley.
Whatever you do, don't assume that a good printer can't go bad.
-- Scheier is a freelance writer in Boylston, Mass.