At this point, it’s safe to say your mobile endpoints (laptops, tablets, and smartphones) will venture outside the perimeter of your network. The concept of the disappearing perimeter is well established these days; however, little is said about securing endpoints outside the perimeter.
How likely is this scenario? You have user with a mobile device that wants to check Facebook, Gmail, download/upload something to their cloud storage and they cannot do so on the internal network. You’ve blocked those for good reason. So what do they do? They hop on your guest network or a mobile hotspot and do what they want to do outside the controls of your internal network. Outside the perimeter, you’re no longer inspecting traffic, applying updates to your anti-malware solution, blocking known malware command and control (C2) servers, applying data loss policies (DLP) to data in motion, etc. Without these controls, they visit a site and get hit with drive-by malware. The trojan then connects to the C2 server, pulls down key loggers, rootkits, etc. This user then hops back on your network. Your IPS/IDS may or may not catch it but regardless you now either have an infected machine on your network and you know about it and the user has downtime and money is spent reimaging the machine or your IPS/IDS doesn’t block the connection attempts and now there is a threat on your network you don’t know about. Granted, you can force internet access only through the VPN but I know of very few organizations that enforce this due to the restrictive nature it puts on end users.
So what can you do about it? With the power of cloud security solutions, you can now have a lot more visibility and control of your endpoints off the corporate network.
One of the more exciting cloud security products these days are cloud proxy solutions. You either push a PAC file or an agent that enforces the PAC file to route all traffic through a cloud proxy. This cloud proxy can also replace your traditional hardware-based, on-site proxy. What this gives you is your typical network controls regardless of where the user may be (coffee shop, hotel, the office, a remote office, home). Most cloud proxy solutions allow you to block known C2 servers in realtime, block websites via policy, data loss prevention for data in transit, break open SSL traffic, export log files to your SIEM for correlation, import and export threat intelligence, plus run the gamut of useful reports and metrics you would want to run.
Another important piece to securing the endpoint is being able to manage your endpoint anti-malware/anti-virus/host DLP/app whitelisting solutions. Most all solutions now have agents that can sit in your DMZ to push and receive the latest hash files and policies for when your endpoints are off network.
For smartphones and tablets, all of these controls can be wrapped up in your mobile device management (MDM) solution as well.
The final piece is being able to manage group policies, installed applications, permissions, patching – essentially anything related to endpoints in your domain. While Microsoft has a solution that sort of works in SCCM 2012, there are more robust solutions available to help you manage this for devices off the enterprise network.
I’ll say one last thing before wrapping up this post is these controls are built upon a solid foundation of doing the basics well – basics like asset management, assuming your other controls are effective (or in place) like HDLP, anti-malware, proper device configuration, encryption, MDM, etc. Without getting a solid foundation in your information security program, no amount of controls (a.k.a. money) will lower risk to an acceptable level.
With security services in the cloud finally becoming a reality, there are more robust ways to allow your users to work off network, still be secure, not lose visibility to your endpoints, and not have to backhaul all traffic through your VPN. Users are now more productive and happier all while being more secure and not losing visibility to your endpoints when they’re off the network.