This article explores the basis of trust in endpoint security architectures along with the integration of assurance factors and how to better reinforce positive user behavior.
By Kurt Roemer and Christian Reilly
Like it or not, today’s enterprise security landscape is heavily endpoint and user-dependent. The actions and inactions of users, coupled with unmanaged networks and questionable device states combines to make endpoint security a frustration of trust. In this article, we provide options to prescribe, enforce and validate levels of endpoint security appropriate to situational risks.
In our introductory article on Perfectionism, we committed to discuss more details around protecting sensitive data from being displayed, controlling corporate email and thwarting screen scrapers and keystroke loggers. In this second article in our series, we’ll also explore the basis of trust in endpoint security architectures along with the integration of assurance factors and how to better reinforce positive user behavior.
Because data is entered, displayed and often stored on a variety of managed and unmanaged devices, endpoint security is a major concern for IT organizations - many of whom are dealing with the diversity of enterprise managed endpoints, as well as unmanaged BYO, contractor and non–employee devices.
And remember – this isn’t just about the devices – security is affected by every aspect and at every layer of the endpoint including the OS, applications, networks, services, associated configurations and patch levels that combine to portray a level of trust.
The lowest grade of trust is the home PC shared by the family that has not been updated or patched in years. Of course, there’s no antivirus or firewall configured and it’s also often running questionable file sharing services (and maybe unknowingly hosting a botnet or two). The users of this system are constantly dealing with compromised email and social media accounts.
The highest grade of involves carefully configured and maintained high-assurance systems further protected by “guards, guns, dogs and concrete.” Systems, memory and disks never leave the facility and are destroyed by incineration when no longer in use. Faraday cages and soundproofing further complement physical security measures. Underground bunkers are among the most likely where these devices reside. The stuff of governments and movies, for sure, but serious secrets demand serious security measures.
To thwart malware, including keystroke loggers and screen scrapers, organizations may consider the following:
While screen scrapers are top-of-mind for maliciously capturing sensitive data off of displays, there are many ways for determined people to steal data. Being able to record what's on the screen involves malware, screen recording utilities, the ability to take screen capture images on mobile devices, <Alt> <PrtScr> on Windows systems, pictures and video from cameras - as well as even putting an iPad on the office photocopier!
Methods to steal data are often innovative - and the goal for protecting enterprise data is to stay ahead of this innovation, using protective measures that are commensurate with risks against sensitive data.
Whether you're primarily concerned with bulk exfiltration of data, or the malicious capture of data on individual screens, the following scenario highlights options that range from minimally invasive and simple to visibly strong and constant reminders.
Consider an example where a home-based call center contractor named Jane is working with a healthcare concierge plan member who is also a high-value card member. Because of data sensitivity, the call center applications are virtualized and accessed remotely, which keeps actual data off the endpoint. Data sensitivity also begs that private or personally identifiable information (PII) such as cardholder information, national ID's, US Social Security Numbers and medical diagnosis information is redacted or tokenized - preventing it's display on the call center screen along with the rest of the customer information.
In this example, let's say Jane really does need to see sensitive information to assist the customer - full cardholder data, in this case. Jane doesn't normally have access to cardholder information, but if she legitimately needs to have access she can apply for an exception by clicking on the redacted field. After clicking an acknowledgement that she assumes all risk for improper use of data, a note automatically goes to her manager via SMS with the details of the requested access exception - saying here's who she's working with and why she needs an exception, with a verbal approval from the customer to specific questions required to enable the exception process. Jane's manager simply clicks "Yes" to approve the exception and it’s added to the approval and audit process.
With the exception approved, Jane types in the one-time approval code and is reminded that everything that she's doing is going to be recorded and logged - and tied specifically to her.
Immediately, Jane receives a notice that her screen is being recorded for audit purposes, her webcam is turned on and remains on for the rest of the session. She is told she has to keep her eyes within the purview the webcam at all points in time or the screen will blank and the session will end. The session will also be terminated if any lenses (outside of pre-authorized prescription glasses) are detected by the analysis software behind the webcam.
Jane must further authenticate and verify her identity by swiping her finger on the reader for biometric identification, verifying that her smartcard employee badge with personal certificate remains in the reader, and her picture is dynamically compared with registered notary-signed images on file. Digital watermarks tied to Jane are placed on all generated documents, messages, on video files and on logs. An audit review is scheduled on her calendar with internal audit for required post exception analysis.
Thanks to the exception, Jane is able to satisfy the customer request, has a very happy customer and returns to normal operating mode. Can Jane still steal this customer's exposed data? Yes, of course. Will she think twice about it - with her name and everything associated with her attached to this exceptional event? Certainly, yes.
Additional endpoint security measures to consider include Citrix Ready solutions for remote attestation, device fingerprinting, keystroke dynamics and user behavioral heuristics. Ultimately, if the data is too sensitive to be displayed on the endpoint in a particular situation - don't display it. Use tokenization, redaction, watermarking and contextual policy to only allow apps to run and data to be displayed in appropriately secured situations. Contextual policy must consider all of the “5W's of Access” (who, what, when, where and why) in high-assurance situations, requiring strong validation of each factor.
It’s important to understand that we are not recommending implementing the highest level of security for all data and all situations - for the best user experience, it's best to only enable the highest levels of security when dealing with the highest levels of risk. The following questions will help determine those situations:
A primary goal for security is to reduce the dependency on endpoint security over time by increasing protective measures and providing clear visibility of endpoint trust. As endpoints become more diverse through mobility and the Internet of Things (IoT), additional measures will need to be activated to reduce the risks that threaten sensitive data.
Endpoint security policies must consider everyone initially as untrusted outsiders, verify situational risks and require that trust is established – not assumed. By dynamically assigning and verifying the level of trust in endpoints and automating access to apps and data, end-users and enterprises can be appropriately protected across the increasing diversity of enterprise endpoints.
Stay tuned for the next articles in our series where we will address security considerations for clouds and cloud services followed by an article on identity.
Chief Security Strategist
VP Chief Technology Officer Workspace Services