Endpoint Security Compliance Strategies for the Enterprise
|
An Interview with Dennis Brouwer, CISSP, Co-founder & SVP of Marketing, ENDFORCE |
||
|
|
||
|
Q1 - Endpoint Security Compliance
Dana: In 2004 endpoint security emerged as a critical concern for both vendors and enterprises that deal with extended enterprise networks, in large part driven by the growth in SSL VPNs. At the same time, attention has shifted rapidly from the simple security measures like personal firewalls and anti-virus software to more “holistic” endpoint policies and solutions. Since ENDFORCE has emerged as a leader in endpoint security compliance software I invite you to share your perspectives on the difficult challenges enterprises face as they devise their own endpoint security strategies.
Dennis: Dana, thanks for the opportunity to comment on endpoint security, particularly as it pertains to SSL VPNs, and the challenges of an increasingly dynamic workforce. What we’ve seen in the past year is that enterprises now realize the threat to their endpoints is much more diverse and multi-faceted than in the past, and so the defenses they deploy need to be more capable and better coordinated than ever before. Enterprises have clearly evaluated and deployed security measures in the past, but the combination of sophisticated threats- which must be countered in a holistic way - and endpoints not under their immediate control has raised the difficulty of endpoint security to a new level.
Q2 - Endpoint Security (EPS) Policy
Dana: Based on your experience working with medium and large size enterprises, how do you recommend an organization approach the task of developing its own remote access EPS compliance policy?
Dennis: From our perspective, enterprises of any size need to examine three primary issues as they decide on endpoint security policies and enforcement mechanisms. First, they need to assess the mobility of their users, and balance it against the need for access to information. As an example, groups of salespeople and executives may both be highly mobile, but have very different needs for information access. Second, they need to formally determine the role of security within their enterprise. Is the security function empowered to deploy automated enforcement systems to proactively assess and enforce policy, or are they limited to an advisory role, in which they are more likely to rely on more traditional tactics of attempting to educate end users and encourage them to accept the burden of compliance. Finally, they need to determine the extent to which they are willing to invest in changes to their network infrastructure to enable enforcement, since most approaches rely on a combination of endpoint agent technology for assessment, and network integration for actual enforcement.
Q3 - Alternative EPS Compliance Strategies
Dana: Once one's security policy requirements are defined, I imagine an enterprise faces a number of strategic choices re: actual implementations. What are they?
Dennis: We have seen three primary compliance strategies emerge in the marketplace. The first is based on a server architecture. When a user attempts to log-on to a network, the device is scanned for vulnerabilities. If the device “fails”, access is either denied or restricted - based on security policies. This approach works where the user or enterprise has administrative privileges on the remote device. The second approach is based on a server/applet architecture. Here a downloaded applet conducts the scan. The third alternative - which has been endorsed by most industry groups including the Trusted Computing Group, Cisco’s Network Admission Control initiative, and Microsoft’s Network Access Protection, covers the broadest array of use cases. It is based on a server/agent architecture integrated with the network, in which the agent completes the assessment and policy is enforced in the network itself.
Q4 - Strategic Trade-offs
Dana: What are the central trade-offs associated with each strategic alternative?
Dennis: Server-based solutions which rely on administrator privileges and remote scans are generally most appropriate for small-medium business environments, for a couple of key reasons. Because these solutions typically require the deployment of a dedicated appliance for each protected network segment, they quickly encounter scaling problems in large network environments. Also, the requirement to grant administrator privileges to the security enforcement system is viewed as overly intrusive in most large enterprises.
The server/applet architecturestratgey has its roots in the SSL VPN gateway market, where the focus is on providing “thin-client” i.e. web-based VPN access. Once SSL VPNs gained market acceptance, it quickly became obvious that VPNs of any type, without the proper endpoint security, were simply encrypted paths into the network for malware. Applet-based solutions were designed to work with SSL VPN, web-based solutions, which are terrific solutions for mobile workers, but are of limited utility in a LAN-based, or IPSec VPN environment. With that in mind, products which rely on downloadable applets and SSL VPNs are well-suited for enterprises that plan to enforce security compliance only on their remote users.
The third alternative, the server/agent architecture, is gaining broad acceptance. It has the advantage of providing security enforcement for both remote and LAN-attached workstations, and has been adapted to work in SSL VPN scenarios as well. Also, it does not require the use of administrator level privileges, which removes scalabilty as a major concern.
Q5 - ENDFORCE Strategy
Dana: What are ENFORCE's primary strategies for dealing with evolving requirements for EPS compliance solutions?
Dennis: This is a challenging area, but we have found that if we interact with a mix of enterprise executives, administrators, and buyers, along with our peers in industry organizations and analyst firms, common themes tend to emerge. So we are constantly working with our enterprise customers and prospects to understand their requirements, and we augment that with active participation in industry initiatives, including Microsoft’s Network Access Protection (NAP), Cisco’s Network Access Control (NAC), and the Trusted Computing Group (TCG).
Q6 - Emerging Compliance Standards
Dana: Dennis, you have raised an issue that is likely to concern many enterprises, that is, when they evaluate specific EPS compliance products how should they weigh the strategies and capabilities of these three influential forces?
Dennis: In general, as enterprises evaluate specific EPS products, they need to balance their current requirements with what they believe they’ll need in the future, and what they would like to see in a vendor. The overwhelming opinion among analysts who track this market is that Cisco and Microsoft will become major players, which isn’t exactly a surprise, but, the analysts have also said that enterprises shouldn’t wait for the big players to launch a product. Their reasoning is that Cisco and Microsoft will always trail the market, especially in security capabilities, and most, if not all of the product features they have discussed are available from independent software vendors like ENDFORCE, today. As long as an enterprise selects a vendor that’s directly involved in, and behaving consistently with the major industry initiatives, they should feel comfortable making a product choice from the products that are available in the market now.
Q7 - ENDFORCE Differentiation
Dana: Is the ENDFORCE approach distinct in ways that most organizations can appreciate? Please briefly explain the primary differences.
Dennis: The ENDFORCE approach is different in three fundamental ways, which should be readily apparent to enterprise users. First, our enterprise product benefits from the fact that we have built policy management systems for service providers for years, and as a result, we’ve got more experience dealing with complex scenarios in large networks than any of our competitors. This translates into what we believe is the easiest to use product on the market. Second, our product strategy is focused on interoperability with all leading application and device vendors, so you don’t have to replace your personal firewall or anti-virus product to deploy centralized policy compliance enforcement and you can build your network using 802.1x capable switches from virtually any vendor. We’ll work with whatever you’ve deployed. Finally, we provide very thorough support at the time of implementation, so our installations tend to go quickly, and turn out well.
Q8 - Outlook on Future EPS Requirements
Dana: I expect that EPS compliance solutions will need to adapt rapidly to new enterprise requirements. Please decribe what do you see as the next wave of requirements and the business trends that will drive them?
Dennis: There’s no doubt that these solutions are evolving rapidly. We believe that the next wave of requirements will be focused on expanding the breadth of available solutions, but incorporating additional enforcement mechanisms, which will cover a broader range of enterprise users. For example, our first generation product focused on remote users accessing the network via SSL and IPSec VPN gateways. Our follow-on product added LAN support via integration with the 802.1x port authentication standard. We will be adding other enforcement mechanisms, including additional agent-based and network-based capabilities to cover a broader range of existing and planned network environments. We’ve also seen major shifts in the market as recently as a few weeks ago, with Cisco’s decision to support a major Network Admission Control initiative in the market, as opposed to a purely proprietary Cisco-based product approach. Cisco’s agreement-in-principle to cooperate with Microsoft also points towards improved coordination and a broader underlying base of shared technology which can support innovation by independent software vendors like ENDFORCE. In general, both Cisco and Microsoft have made strategic moves which appear to be good for endpoint security, and organizations like the Trusted Computing Group have grown into useful forums for vendors who have a stake in the future of this market to collaborate on the development of common standards.
Q9 - Additional ENDFORCE Info
Dana: Dennis, thanks for sharing your thoughts on how organizations can enjoy the benefits of EPS compliance solutions. Where can one go to learn more about the ENDFORCE solution?
Dennis: Organizations interested in learning more
about how ENDFORCE tackles the challenges we have just discussed can
visit our web site.
 |
| Submit a question. You can submit a question to either Dennis or Dana. |
|
|
Dennis co-founded ENDFORCE in 1999 and has more than sixteen
years of experience in a variety of sales, sales management, marketing
and business development positions at UUNET, CompuServe Network
Services, and IBM. Prior to ENDFORCE, Dennis served as Vice President,
Product Marketing, at UUNET and CompuServe Network Services, leading
providers of enterprise-class connectivity and security solutions.
In that capacity, he was responsible for product marketing and
management for all dial-up Internet, Virtual Private Network,
and Remote Access solutions. Dennis is a graduate of the University
of Minnesota, and holds an MBA from Texas A&M University. Dennis
also served in the U.S. Navy as a naval flight officer.
|
| ENDFORCE, the leading choice for interoperable endpoint security policy enforcement, provides the first software-only, vendor-neutral framework that enables enterprise security administrators and executives to define and enforce endpoint security policies for their users. ENDFORCE has established itself as a leader by creating innovative software that automates the design, deployment, and ongoing management of configurations and security policies for both fixed and mobile endpoints. Based in Dublin, Ohio, ENDFORCE is privately held, with investors including Kleiner Perkins Caufield & Byers, Invesco Private Capital, and Microsoft. |
More About ENFORCE on SSL VPN Central
How to Select the Right Endpoint Security Solution - ENDFORCE Enterprise