Web applications that run in Data Centers can be well-protected with physical, network and system security by applying sufficient people, processes and technology to manage infrastructure that is directly under the control of operations staff.
Unmanaged endpoints, like desktop computers of tele-workers or laptops of mobile users who access these applications, can introduce holes into an otherwise complete security model.
The best efforts of server and network professionals can protect data in the server farm, but data that originates from or is downloaded to compromised endpoints is subject to theft and exploitation.
So, yes, there is safety in the cloud, but the endpoint is another matter.
Authentium's SafeCentral is an endpoint-based solution that creates a secure footprint on an otherwise unmanaged computer to allow it to access sensitive data and applications and block data leakage. Such leakage can result from mass-market or targeted attacks on endpoints that install keyloggers, SSL data hijackers, remote access tools or other malware.
SafeCentral creates a managed session on an otherwise unmanaged computer. SafeCentral applies special, restrictive policies to the unmanaged operating system during web application usage such that data and functions the application makes available can be shielded from monitoring, recording and theft by malware that has infected the endpoint.
Examples of shielding include:
- Blocking keyloggers
- Blocking screen capture
- Preventing code injection that can steal data even out of SSL/TLS-protected web connections
- Providing alternate, secure DNS lookups that bypass vulnerable DNS resolvers
- Providing browser lockdown that blocks malicious plugins and extensions
Online banking is a good example of extremely sensitive web applications that run on unmanaged clients. Banking trojans are increasingly used by online criminals to take advantage of these access points to create a multi-billion-dollar industry of fraudulent transactions. The largest banks around the world will be deploying SafeCentral to their clients during 2009.
There will be many interesing ways in which remote desktops, virtual machines or virtual browsers on the client side, and other security approaches evolve over the next decade. Given that Citrix Winframe has been available for over a decade, it's clear that these technologies take time to achieve maturity and large-scale deployment.
SafeCentral is available now as a managed service that provides a secure web application client on Windows endpoints that are prone to infection and exploitation even when antivirus, antispyware, firewall and other security software is already installed. Data Center staff cannot also take responsibility for keeping endpoints clean of malware, but they can require use of SafeCentral to access their server-side applications and rest assured that web sessions remain private and protected.