How IT teams can set up effective endpoint security programs to adapt to employees using their own devices to work.
Terry Cutler, founder of Digital Locksmiths, believes mobile device users are trained by consumer markets to expect choice and flexibility when it comes to technology to get their jobs done. Photo courtesy of Terry Cutler
Bring your own device (BYOD) device programs are on the rise at enterprise organizations, creating new management challenges concerning the use of mobile devices.
Employees often purchase devices with capabilities that outpace what enterprise networks are equipped to handle. As a result, IT departments face unpredictable risks including viruses, pirated media and a mix of technologies with interoperability problems.
Organizations lag behind because they struggle to find the right balance between network security and flexible employee policies. That’s where endpoint security enters the picture.
Endpoint security defined
Endpoint security requires each user device to conform to pre-defined standards before it can connect to a company’s network. These standards give IT teams the ability to enforce security controls and corporate data policies for every smartphone, laptop or tablet employees bring to work.
“Endpoint security is a rapidly evolving term,” said Daren Glenister, chief technical officer at Intralinks, a software-as-a-service company that helps organizations collaborate securely with regulatory requirements in health care, finance and legal industries.
“It used to entail securing everything behind the firewall, and then it morphed to every device that connects to an organization, such as laptops, mobile devices, etc. Today, I believe that endpoint security is the protection of every mission-critical asset within a company’s control.”
Examples of endpoint security include malware protection and anti-virus software.
“It is solely about a specific device having protection,” said Eric Jeffery, founder of IT consulting firm Gungon Consulting.
An endpoint security program begins with an organization defining the security and data standards it needs to enforce, and then identifying the software it needs to get the job done.
In the process, “It’s important to look at mobile content, content shared with business partners, and cloud-based data,” Glenister said.
Defining people processes
IT leaders will often take a systems-first approach to defining a mobile-device management strategy. Software alone, however, is insufficient for addressing common challenges that affect team members on a day-to-day basis.
“Users are trained by consumer markets to expect choice and flexibility when it comes to technology to get their jobs done,” said Terry Cutler, co-founder of the IT firm Digital Locksmiths.
Organizations must invest in training programs that teach IT team members how to prioritize security and balance risks. And the IT team must set up procedures for employee education, policy creation and enforcement.
“Sadly, that’s unique,” Gungon’s Jeffery said. “I’ve never seen a company have a policy and stick with it.”
The challenge is that employees want to retain control of their devices.
“When employees at my last two companies saw an alert on their phone that IT could wipe their devices, they rebelled,” Jeffery said. “It dragged down morale. Employees believe they have a right to use their device on the company network and that the company has no rights or obligations in return.”
Therefore, organizations must view security as a partnership with their employees. Education, awareness and vigilance are crucial to this process.
A layered approach
Glenister said he encourages IT leaders to implement a three-layered endpoint security strategy: mobile device management, mobile application management and mobile content management.
“As criminals get smarter, organizations need to adapt also,” Glenister said. “IT leaders must approach security from multiple angles.”
Organizations need to have the ability to “unshare” and revoke access to any file, regardless of where it resides, Glenister said. The technology that supports this functionality is called “embedded encryption,” which allows IT teams to retain control of files.
“Even if data leaves the control of an organization, the embedded encryption does not allow for that data to be lost from the organization,” he said.
User experience is the fourth and most important layer for endpoint security. Companies will need to make sure that team members have enough flexibility to complete their core responsibilities.
“The data has to be secure and be available for collaboration,” Glenister said, “no matter where it goes and with whom it resides.”
– Tech Page One Sep 11 2014
