Friday, October 29, 2010

Boo! Are your employee's computers haunted?

These are scary times for information security professionals who face increasing demands for protecting sensitive company information and at the same time are supporting more and more employee-owned devices connecting to the corporate network.

In my last posting I mentioned an Information Week article that I will return to this week. The article describes how anti-malware software is not getting the job done. The author was focusing on enterprise IT organizations protecting corporate networks and devices.

But the successful evasion of software defenses that malware authors are enjoying in the enterprise is even more troubling when we look at the Bring Your Own PC model of corporate computing. In this model company employees use their own PCs and laptops to access enterprise resources. Bring Your Own PC could also be called "Bring Your Own Malware." If million dollar enterprise software budgets cannot keep the hackers away, how can we assume an employee-owned PC will be free of infection?

"Bring Your Own PC" could also be called "Bring Your Own Malware"

There are two eye-opening statistics in the Information Week article, derived from a Ponemon Institute survey of IT and IT security practitioners: Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove. That's a long time for malware-infected computers to continue connecting to corporate networks and accessing sensitive data--and these are fully managed PCs controlled by corporate IT. The numbers must be much worse for employee-owned PCs. Last year Trend Micro reported their results from monitoring 100 million compromised IP addresses: half of the addresses showed signs of infection for over 300 days.

Nearly 80% of companies report malware evades their antivirus systems, and almost half report malware infections take longer than 30 days to remove.

SafeCentral Enterprise delivers secure remote access even from machines that are compromised with malware. SafeCentral blocks the keylogging and other data-stealing techniques of malware, providing focused protection for web, VPN, remote desktop, hosted virtual desktop and other client sessions. You can learn more here.

Wednesday, October 20, 2010

Protecting Corporate Data on the Edge

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: "...we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize."

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don't Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that's where the users are. In most cases, "the edge" still means a Windows PC or laptop (I exclude call centers from "the edge").

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

"Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms? That takes more intestinal fortitude than most can muster."

Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. "Thin client applications" like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works.

Examples of White-listed Clients on the SafeCentral Secure Desktop:
  • Cisco AnyConnect VPN

  • Juniper Netconnect VPN

  • Juniper Citrix Services secure proxy

  • F5 Firepass VPN

  • Citrix XenDesktop or XenApp

  • VMWare View 4.5 Client

  • Microsoft Remote Desktop Client

  • SafeCentral SafeBrowser (a locked-down web browser)

  • Attachmate

  • more on the way...

If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.