Enterprise IT teams need a robust, proven alternative to perimeter-based security, answering the unprecedented challenges of extended, fragmented workforces on top of the mounting threats they were already facing.
Organizations with a mission-critical need to meet compliance, security and regulatory requirements have to be able to find a way to secure end-points in a work-from-home, zero trust environment, without significant performance degradation or prohibitive costs. We need architectures for endpoint devices that support secure (“protected”) sessions and unprotected sessions depending on the sensitivity of the data been transferred and processed. The machine resources (e.g. memory) that each of these sessions use must be kept separate.
From this high level concept, how this will be implemented can depend on the Enterprise and use cases. Mandatory compliance with the highest standards, such as those called out in the National Security Agency/Central Security Service (NSA/CSS) Commercial Solutions for Classified (CSfC) Program specification are needed in high threat environments, but for more moderate threats restrictions can be dialed down to a level appropriate to the risks faced.
If appropriate, the security architecture may well incorporate nested VPNs, secured booting and some sophisticated methods of user authentication. This approach is in line with CSfC, which was established to enable commercial products to be used in layered solutions protecting classified NSS data.
Such security needs to be implemented at the edge, in parallel with the approach of the avionics, space and defense industries, where application failure is not an option. In these domains, technology exists to protect mission-critical applications at the endpoint, on board vehicles for example. This technology can be scaled appropriately and provide similar protection to mission critical end-points in the enterprise, such as laptops, edge servers, networking cards and more.
This security architecture is based on a separation kernel-based approach, so that endpoints can run multiple isolated functions, including domains for different security and classification levels. Security controls can then be fine-grained rather than simply enabled/disabled.
Functionality should be allowed or prevented on a per VM basis – with VM’s being managed remotely to reduce operational costs. Because system security is enforced all of the time for the protected session, data encryption is always on, VPN functionality is always on and USB device insertion is always off.
For the highest threat environments, mandatory support for secure boot functionality and support for multiple levels of VPN can be implemented. I also believe that endpoint detection and response technology must become mandatory. Naturally, this functionality has to be supported by industry standard machines running Windows or Linux and priced similarly to existing hardware in the market.
Such an endpoint architecture enables safe, secure and productive home working. It is an approach that delivers the highest security when it is needed, but also minimizes inconvenience, reducing the risk that employees negate security by simply avoiding it, for example by switching to their personal devices.
A recent Malwarebytes report uncovered that 28% of the respondents themselves, (IT managers, Directors and C-suite executives) confessed they were using their personal devices to perform work related tasks more than their work-issued machine.
If I am honest about my regular work day, I will often NOT connect to the office network via VPN, and interleave business related tasks with personal ones. The architecture outlined in this article provides a path to rigorous security proportionate to the risk faced, whilst recognizing the fluidity of the work environment for the newly created generation of home working users.