• My Tweats

    • Flickr Photos

    The Alternative to Endpoint Security Software Sprawl

    RationalSecurity comments on Endpoint Security:

    However, we’ve also come to realize that the locus of the threats
    and vulnerabilities demands that we get as close to the assets and data
    we seek to protect, so now in an ironic twist, the industry has turned
    to instead sprinkle software-based agents directly on the machines instead.

    After all, the endpoint is the closest thing to the data, so the more
    endpoint control the better, right?

    What we’ve done now is transferred the management of a few gateways to that of potentially thousands of endpoints.

    Based on an informal survey of security practitioners, the diagram I
    whipped up above demonstrates various end-point agents that reside on a
    typical enterprise client and/or server. It’s absurdly obscene:

    • Software Management/Helpdesk Remote Control
    • Patch Management (OS)
    • Asset Management (Inventory)
    • Firewall
    • VPN
    • Anti-Virus
    • Anti-Spyware
    • Anti-Spam
    • Browser Security Plug-ins
    • Encryption (Disk/eMail)
    • 802.1x Supplicants
    • NAC Agents
    • DLP
    • Single Sign-On
    • Forensic Agents
    • Device Control (USB, CD, etc…)

    You generally have to manage each of those pieces of software independently.

    I have spent a non-trivial part of this year working on an Endpoint Security project for my employer demanded by our auditors. While the project has come along nicely (meeting its goals), I really don’t believe in that kind of an approach anymore.

    There are to many holes, too many ways for data to leak out, to many sysadmin issues.

    I think corporations should replace their desktop workstation architecture with hardware that is locked down running minimal thin-client-ish software that connects to desktop providing terminal servers (like what Citrix offers) with strong authentication of the user. The servers can be locked down and controlled centrally. The users must have no rights (enforced by technology, not words) to install software or add hardware.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Google photo

    You are commenting using your Google account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Connecting to %s

    %d bloggers like this: