Wednesday, October 20, 2010

Protecting Corporate Data on the Edge

Information is money and modern criminals know how to get their hands on both. Enterprise IT professionals are severely challenged these days to keep corporate data both protected and available to authorized users at the same time.

Going to Sea in a Sieve
Greg Shipley called out security software vendors in this InformationWeek article, pointing out that: "...we've spent billions of dollars on security technologies, and we still can't curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize."

When it comes to endpoint PCs I have to agree. The problem I see is that the Windows PC is too open, too programmable, with too many APIs and too many extensible applications like web browsers and productivity suites. This creates a rich environment for malware authors to infiltrate and take up permanent, or at least persistent, residence as a malicious ghost haunting the machine. From this position a malware operator can harvest sensitive data, including authentication credentials, customer records, employee data and other sensitive information.

IT teams have the strange mandate to deploy an extremely flexible operating system, but immediately take flexibility away from end users. This creates a tug of war between security and usability.

Benefits of Data Centralization
These facts are inducing a reverse in the swing of the IT pendulum, which is now moving back to centralization. Cloud-based apps, which keep data-at-rest in the data center, are helping to limit the physical spread of data and keep it under tight control behind many layers of physical and network protection. Hosted Virtual Desktops like Citrix XenDesktop do the same thing for entire virtual machines..allowing IT to build, deploy and maintain virtual PCs inside the data center and then deliver them over the Internet to thin client applications like the Citrix Receiver.

Don't Forget the Endpoint
Centralization is good for data, but not for people. The workforce has become more distributed, working from home or the road or a branch office. The point is that data can be stored centrally in the data center but it must be used out on the edge of the network; that's where the users are. In most cases, "the edge" still means a Windows PC or laptop (I exclude call centers from "the edge").

The information security benefits of data centralization are lost when unmanaged or semi-managed endpoint PCs connect to the data center. All the risks that Greg Shiply called out then come into play:

"Walking into the CEO's office and saying that the products you've spent a small fortune on are effective only at stopping novices and for checking off compliance forms? That takes more intestinal fortitude than most can muster."


Centralized Data with Secure Remote Access
I think the pendulum is swinging to a safer place. Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works. Network Access Control (NAC) was an attempt to ensure that only properly secured endpoint computers could connect to a corporate network. But NAC relies on the imperfect Antivirus and Firewalls Greg Shipley called out as ineffective.

Here at SafeCentral we are addressing the risks to data in use on remote endpoints differently. We do not protect the endpoint, we protect the data..while it is in use. We provide a Secure Desktop that protects against keyloggers, screen-scrapers, DNS redirection, code injection and other threats. From the Secure Desktop the user launches their VPN client and logs in, with full anti-keylogger protection for their username and password. Once connected to the VPN and while on the Secure Desktop, the user can only run applications white-listed by the IT administrator. "Thin client applications" like Citrix or Microsoft Remote Desktop are perfect fits for the SafeCentral Secure Desktop (see my earlier posting: Patented Data Loss Protection). Users can switch back and forth between the locked-down Secure Desktop and their normal Windows desktop, multi-tasking throughout the day. This gives them the benefit of extreme lock-down while accessing corporate data, with an option to switch out to the more open environment of the standard Windows desktop when they want. The data on the Secure Desktop remain protected.

Centralizing data and functionality, along with endpoint lockdown and secure remote access create a formula that works.


Examples of White-listed Clients on the SafeCentral Secure Desktop:
  • Cisco AnyConnect VPN

  • Juniper Netconnect VPN

  • Juniper Citrix Services secure proxy

  • F5 Firepass VPN

  • Citrix XenDesktop or XenApp

  • VMWare View 4.5 Client

  • Microsoft Remote Desktop Client

  • SafeCentral SafeBrowser (a locked-down web browser)

  • Attachmate

  • more on the way...



If you are interested in hearing more, please drop me a line at rdickenson/at/safecentral/dot/com or post a comment here.

No comments: