Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Securing endpoints beyond the network boundary

30 September, 2013
As network boundaries become less clear, the IT security industry is exploring new techniques to secure endpoints beyond the firewall

By Jonathan Newell

The pace of change has always been rapid in information technology with IT security changing at a rate that's determined by the arms race between the cyber warriors and their legion of quick-thinking adversaries. In such an environment, the concept of legacy covers shorter periods of time than in other industries and the latest advances in network protection could mean that many organisations are protecting their networks with recently acquired legacy appliances.

To understand this requirement to constantly move with the times, ProSecurityZone spoke to Scott Gordon and Tami Casey of ForeScout, a network security company founded in 2000. Despite its youth, the company quickly established its area of expertise in Intrusion Prevention Systems (IPS) and provided the market with systems for keeping the network secure. By 2004, IPS wasn't enough and the technology needed to evolve into the realms of device authentication and NAC (Network Access Control) was born.

Although NAC still has relevance today, the world has moved on significantly since 2004, particularly in terms of the consumerisation of business IT systems. Workers are encouraged to stay connected wherever they are and most like to do so within the familiar environment of their own hardware, particularly smartphones and tablet computers which have become the latest network endpoints lying beyond the firewall. The age of BYOD (Bring Your Own Device) was born and with it came a sackload of problems for the IT security professional.

Having device authentication in place through the use of NAC ensures that the user on the device is recognised and authorised to access the network but doesn't address the security of the device itself. To overcome this, the security technology has now moved on to EVAS (Endpoint Visibility, Access and Security) which applies a more holistic model to securing mobile endpoints.

According to Scott, a little over 60% of companies currently ban BYOD with the remaining 40% allowing user-owned hardware onto their networks. However, as the advantages of BYOD are more widely realised, the number of organisations adopting less restrictive BYOD policies and reducing corporate control over mobile hardware will double in the next five years to nearly 80%. For these companies to maintain a secure environment, they need a more robust security posture.

EVAS technology is particularly useful for when organisations don't know what endpoints are on their network. Attached devices are profiled to ensure they meet certain criteria regarding data loss prevention and encryption requirements as well as the identity and NAC credentials. Tami described this as going from access control to network control since the technology is no longer just a perimeter defence but a core function of the network which operates both prior to and after access is granted.

The system also shares information with other essential security elements on the network including Mobile Device Management (MDM) and Security Information and Event Management (SIEM) systems.

As new threats are knocked on the head by technology improvements in security systems, there is the constant danger of over-complexity and introducing uncertainty into an already complex environment. ProSecurityZone asked Scott Gordon what ForeScout is doing to help IT security professionals manage this increased complexity.

According to Scott, the three main factors which define how complex or simple a deployment would be are interoperability, usability and the adoption of policies.

Good interoperability requires new technology, hardware and software to be able to use existing infrastructures to as greater extent as possible without requiring forklift upgrades or massive reconfiguration. Being able to interface easily with other elements of the security system such as SIEM systems and log managers is important to be able to keep it simple.

ForeScout has addressed the usability issue with easy configuration using modular displays, built-in help facilities and the ready availability of support as required.

Policy is king and without one, any security system would fail from the outset. This is independent of whatever technology or architecture is used and so the development of a policy on access control, BYOD usage, encryption and data protection are paramount. Translating this policy into commands and parameters for the security software to use should be straightforward. To achieve this, ForeScout has pre-set a number of common policy configurations based on different industries and regulations. These pro-forma policies can then be adapted and customised to meet individual organisational requirements helping to speed up implementation.

Regulatory and compliance requirements are key issues in the kinds of markets where ForeScout predominantly operates including Healthcare, Energy, Education and Manufacturing. It's in these crucial industries that the word "legacy" doesn't fit well and where the move into extended network boundaries needs to be adequately protected.

For more information on EVAS, see this article

Written by Jonathan NewellJonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan

Bookmark and Share