Analysts contributing to this blog post: Dan Blum, Eric Maiwald, and Phil Schacter
A recent TechTarget article prompted a discussion within the Burton Group security analyst team that we wanted to share with our blog readers. The discussion centers around the notion that network perimeters are losing their effectiveness as a primary enterprise defense mechanism, and this trend focuses more attention on securing desktop and other mobile devices that access protected IT assets.
Eric responded to the article with this statement:
The shifting of focus to the desktop security defense runs counter to the “consumerization of IT” trend that includes a strategy of allowing employees to bring their own computer to work. If we don't own the end point device, how do we enforce software/application/configuration controls on them? If we don't own the end point, I think that virtual desktop infrastructure (VDI) and information-based controls will have to be used and the perimeter shrinks even more (down to the data).
Continuing the thread and adding his experiences to the discussion, Dan added:
I wrote about the perimeter shrinking down to data 9 years ago in the first version of Burton Group’s “Securing the Virtual Enterprise” report. Then it was prognosticating on one possible and somewhat distant future -- now it is just incredibly hard. The recent partnership between Microsoft and EMC/RSA, is one of the first inroads into making this practical on a large scale. EMC/RSA will provide the data discovery and policy management; Microsoft will provide the policy enforcement point - just enterprise DRM at this point. Many more PEPs and actions are needed, and they've skirted around interoperability by not working the standards angle on a policy language (when I asked them about policy language and classification metadata standards they fell back on the self-serving and debatable proposition that the security market is consolidating).
On a related subject, I had an interesting discussion with one of Burton Group’s customers yesterday. This customer is among the vanguard on expanding the scope of unified endpoint security. Whereas I forecast a unified endpoint anti-malware suite in 2006, I underestimated the speed at which unified endpoint protection would come to embody not only comprehensive anti-malware and NAC but also device control, drive encryption, and DLP. These are the requirements that will be in this customer’s forthcoming RFP. One of the key features on this customer’s wish list is a single management console that integrates all of the endpoint’s defense mechanisms. The customer recognizes that current integration is spotty and functionality is immature, but wants to put the RFP out there, see how far they can push the envelope, see how the vendors stack up, and what tradeoffs they should make.
I pointed out that tradeoffs - such as do you pick McAfee for its endpoint DLP integration or Symantec for its dis-integrated but market leading Vontu DLP - would be best informed by a security architecture and migration strategy that put some stakes in the ground.
I also pointed out there are some limitations - even with all the heavy desktop security there will still be leaks; for example, Cisco's endpoint DLP searches for strings like credit cards but a malicious advisor will soon learn to hide the telltales once he understands DLP is resident. The customer is planning a very heavy dose of endpoint protection that will be low surety and expensive to maintain, whereas a locked down desktop plus VPN backhaul will buy you more protection than all the third party add-ons in the world.
The customer agreed, and said they could lockdown and backhaul the corporate desktop, but that half of their desktops belong to "independent contractors." These contractors own their desktop, have admin rights, and are only contractually required to put the customer’s endpoint security software on the desktop. They can't lockdown or backhaul these desktops; network protections won't cover them on the road.
I noted they might benefit from an information-centric security strategy, which should include corralling the data in centrally controlled repositories through the use of terminal services and applications that handle it remotely. Then the DLP, device control, and encryption mechanisms become less critical although protection against keyloggers and screen capture is still important.
What if the user is offline, the customer countered? I pointed out that for a three year architecture plan it may now be more reasonable to assume users are almost-always-connected. Did you see the commercial where AT&T "found the Internet" in the Himalayas (land of the abominable snowman?)
The customer agreed that users might be almost-always-connected, but pointed out that their independent advisors own their contact lists and if they want to have them on their endpoints then this is permitted within their contract. Since salesmen cling to their contact lists like NRA diehards to their guns, they aren't likely to give up control over this data. All that the customer can do is try to restrict them to only their own data and help them not do anything stupid with it.
We didn't actually get to discussing VDI, which you mentioned. Sometimes I've brought that up on other calls, but only to say that I'm not yet sure its ready for prime time - the surety, compatibility, reliability, and performance of the user experience are uncertain but what is certain is the requirement for lots of expensive servers and storage back in the data center where organizations must still maintain a real perimeter.
Bottom line - perimeter around the data is low surety, high cost and fraught with problems. The customer should be able to apply a calibrated set of information-centric, locked down desktop, network, heavy endpoint security controls so as to optimize the defense in depth that's necessary for different situations and make a more informed procurement tradeoff.
And at that point the discussion ended with Dan getting in the last word, although I’m sure that the team will continue to delve into the issues raised in our research and writing in the coming months and years.
Comments