Understanding Security Options at the Endpoint

This article explores the basis of trust in endpoint security architectures along with the integration of assurance factors and how to better reinforce positive user behavior.

By Kurt Roemer and Christian Reilly

Like it or not, today’s enterprise security landscape is heavily endpoint and user-dependent. The actions and inactions of users, coupled with unmanaged networks and questionable device states combines to make endpoint security a frustration of trust. In this article, we provide options to prescribe, enforce and validate levels of endpoint security appropriate to situational risks.

In our introductory article on Perfectionism, we committed to discuss more details around protecting sensitive data from being displayed, controlling corporate email and thwarting screen scrapers and keystroke loggers. In this second article in our series, we’ll also explore the basis of trust in endpoint security architectures along with the integration of assurance factors and how to better reinforce positive user behavior. 

Grades of devices and situations

Because data is entered, displayed and often stored on a variety of managed and unmanaged devices, endpoint security is a major concern for IT organizations - many of whom are dealing with the diversity of enterprise managed endpoints, as well as unmanaged BYO, contractor and non–employee devices.

And remember – this isn’t just about the devices – security is affected by every aspect and at every layer of the endpoint including the OS, applications, networks, services, associated configurations and patch levels that combine to portray a level of trust.

The lowest grade of trust is the home PC shared by the family that has not been updated or patched in years. Of course, there’s no antivirus or firewall configured and it’s also often running questionable file sharing services (and maybe unknowingly hosting a botnet or two). The users of this system are constantly dealing with compromised email and social media accounts.

The highest grade of involves carefully configured and maintained high-assurance systems further protected by “guards, guns, dogs and concrete.” Systems, memory and disks never leave the facility and are destroyed by incineration when no longer in use. Faraday cages and soundproofing further complement physical security measures. Underground bunkers are among the most likely where these devices reside. The stuff of governments and movies, for sure, but serious secrets demand serious security measures.

To thwart malware, including keystroke loggers and screen scrapers, organizations may consider the following:

  • Use endpoint analysis (EPA) scans to verify that a supported OS is patched to recommended or required levels. Blacklist non-supported versions and versions known to be vulnerable.
  • EPA scans must also verify that a supported anti-malware suite is installed, configured and updated with recent signatures. Verify that personal firewall software is installed, active and configured to enterprise standards.
  • On mobile devices, scan for and deny jailbroken and rooted systems from enterprise access.
  • Further protect mobile devices by verifying secure boot status, checking that the Android OS is in SE Linux Enforcing mode and that anti-malware is properly operating on those systems that require it.
  • Use Citrix XenApp application virtualization and remoting to keep sensitive data off of endpoints and configure policies for virtual channels to deny printing, file transfers, microphone usage and the clipboard when not required. Utilize one-way clipboard controls to further restrict user actions. Utilize Citrix NetScaler Smart Control to enforce virtual channel and clipboard behavior at the network level to mitigate against misconfigured applications.
  • Utilize thin clients, zero clients and Chromebooks to minimize the endpoint footprint and simplify upgrades, patching and validation.
  • For mobile, utilize enterprise owned and managed devices protected by Citrix XenMobile MDM (Mobile Device Management) when platform, root of trust and TPM (Trusted Platform Module) ownership are required.
  • Restrict email access via application virtualization and/or mobile email application containerization via MAM (Mobile Application Management) using Citrix XenMobile. Disallow the use of native mobile email unless the device is protected by MDM. Further compliment email server security with strong server-side policy and the integration of DLP (Data Leakage Prevention).
  • Require two-step or multi-factor authentication (MFA) to mitigate credential harvesting.

Spotlight on Stealing Data

While screen scrapers are top-of-mind for maliciously capturing sensitive data off of displays, there are many ways for determined people to steal data. Being able to record what's on the screen involves malware, screen recording utilities, the ability to take screen capture images on mobile devices, <Alt> <PrtScr> on Windows systems, pictures and video from cameras - as well as even putting an iPad on the office photocopier!

Methods to steal data are often innovative - and the goal for protecting enterprise data is to stay ahead of this innovation, using protective measures that are commensurate with risks against sensitive data.

Whether you're primarily concerned with bulk exfiltration of data, or the malicious capture of data on individual screens, the following scenario highlights options that range from minimally invasive and simple to visibly strong and constant reminders.

Scenario: Sensitive data and the home-based call center employee

Consider an example where a home-based call center contractor named Jane is working with a healthcare concierge plan member who is also a high-value card member. Because of data sensitivity, the call center applications are virtualized and accessed remotely, which keeps actual data off the endpoint. Data sensitivity also begs that private or personally identifiable information (PII) such as cardholder information, national ID's, US Social Security Numbers and medical diagnosis information is redacted or tokenized - preventing it's display on the call center screen along with the rest of the customer information.

In this example, let's say Jane really does need to see sensitive information to assist the customer - full cardholder data, in this case. Jane doesn't normally have access to cardholder information, but if she legitimately needs to have access she can apply for an exception by clicking on the redacted field. After clicking an acknowledgement that she assumes all risk for improper use of data, a note automatically goes to her manager via SMS with the details of the requested access exception - saying here's who she's working with and why she needs an exception, with a verbal approval from the customer to specific questions required to enable the exception process. Jane's manager simply clicks "Yes" to approve the exception and it’s added to the approval and audit process.

With the exception approved, Jane types in the one-time approval code and is reminded that everything that she's doing is going to be recorded and logged - and tied specifically to her.

Immediately, Jane receives a notice that her screen is being recorded for audit purposes, her webcam is turned on and remains on for the rest of the session. She is told she has to keep her eyes within the purview the webcam at all points in time or the screen will blank and the session will end. The session will also be terminated if any lenses (outside of pre-authorized prescription glasses) are detected by the analysis software behind the webcam.

Jane must further authenticate and verify her identity by swiping her finger on the reader for biometric identification, verifying that her smartcard employee badge with personal certificate remains in the reader, and her picture is dynamically compared with registered notary-signed images on file. Digital watermarks tied to Jane are placed on all generated documents, messages, on video files and on logs. An audit review is scheduled on her calendar with internal audit for required post exception analysis.

Thanks to the exception, Jane is able to satisfy the customer request, has a very happy customer and returns to normal operating mode. Can Jane still steal this customer's exposed data? Yes, of course. Will she think twice about it - with her name and everything associated with her attached to this exceptional event? Certainly, yes.

Match Security Measures with the Level of Risk

Additional endpoint security measures to consider include Citrix Ready solutions for remote attestation, device fingerprinting, keystroke dynamics and user behavioral heuristics. Ultimately, if the data is too sensitive to be displayed on the endpoint in a particular situation - don't display it. Use tokenization, redaction, watermarking and contextual policy to only allow apps to run and data to be displayed in appropriately secured situations. Contextual policy must consider all of the “5W's of Access” (who, what, when, where and why) in high-assurance situations, requiring strong validation of each factor.

It’s important to understand that we are not recommending implementing the highest level of security for all data and all situations - for the best user experience, it's best to only enable the highest levels of security when dealing with the highest levels of risk. The following questions will help determine those situations:

  • Do you have some applications that are too sensitive to use outside the office or require heavily controlled physical locations?
  • What data must be accessible but never exposed on the device for International travelers?
  • Which non-employees are working with the enterprise's most sensitive data? Consider contractors in human resources, legal, M&A, as well as developers and auditors.
  • How do I know the situation is appropriately secure? As a user? As an administrator? Policy must continuously be tuned to reflect new use cases and work situations.

A primary goal for security is to reduce the dependency on endpoint security over time by increasing protective measures and providing clear visibility of endpoint trust. As endpoints become more diverse through mobility and the Internet of Things (IoT), additional measures will need to be activated to reduce the risks that threaten sensitive data.

Endpoint security policies must consider everyone initially as untrusted outsiders, verify situational risks and require that trust is established – not assumed. By dynamically assigning and verifying the level of trust in endpoints and automating access to apps and data, end-users and enterprises can be appropriately protected across the increasing diversity of enterprise endpoints.

Stay tuned for the next articles in our series where we will address security considerations for clouds and cloud services followed by an article on identity.

Kurt Roemer
Chief Security Strategist

Christian Reilly
VP Chief Technology Officer Workspace Services