Holes in Endpoint Security

There is an avalanche of devices and end points that employees, customers and partners are beginning to utilize as they conduct even routine business transactions. An end point device might be a PC, smart phone or even a flash drive. The challenges of IT security are complicating the ability of organizations to protect their intellectual property as well as their reputations in the market.  And it isn’t just IT that is concerned. IT security has grabbed the attention of governmental bodies and the boards of directors of many companies.  Clearly, passwords – even when they are frequently changed and made more complex — are not enough to solve the problem.

It is becoming increasingly clear that there isn’t an easy solution.  A recent conversation with Steven Sprague, Wave Systems’ President and CEO, has caused me to reassess my thoughts on the direction of endpoint security.  There are many different approaches that address some of the potential vulnerabilities, but there simply isn’t a single, all-encompassing approach. I suspect in the near future we will see a number of innovations in this area and an emergence of new technologies combined with required governance and compliance best practices.  Of course there is no silver bullet because as soon as new security approaches emerge, those looking to bypass the security innovate.

So, where are we today?  There are three primary approaches: security tokens, software offerings and hardware solutions.  While all of these approaches offer benefits, none provides a holistic enterprise network endpoint solution.

Security Token Approach

Security tokens are often used when organizations need to allow users to access a secure network through a variety of endpoints.   Users must enter the unique code on the token as well as a password.  This approach allows employees to access the network on non-company issued devices and puts the power of access in their hands, so long as they have an authorized token.

Although tokens provide an additional level of authorization and allow access through any number of devices, there are a number of drawbacks.  There was, of course, the well publicized March, 2011 hack on security tokens provided by the nation’s largest token supplier, EMC’s RSA.  Hackers who sent phishing emails to RSA employees carried out the RSA attack.  When the emails were opened, malware contained in an Excel attachment exploited a backdoor and allowed the hackers to gain access to RSA servers.  Information stolen from RSA’s network allowed hackers to compromise security tokens, leaving many of the world’s largest organizations that relied on RSA’s tokens vulnerable to attack.

Beyond a security standpoint, deploying security tokens across a large enterprise requires the adoption and implementation of additional new hardware.  This is expensive and requires business process changes.  Security tokens can be inconvenient for users, and they have high ongoing fixed costs.

Software Approach

Software solutions installed on each endpoint device avoid the expense that is inherent in tokens.  Software solutions typically have full-disk encryption (FDE), which is designed to render lost or stolen computers worthless without the proper password.  Many vendors offering a software approach have strong central management tools that go far beyond setting password policies for complexity and frequency of password changes.

Software solutions have long implementation times, can impair a PC’s overall performance, and can leave data vulnerable to attack.  The danger with the software approach is that the device’s protection is only as strong as the software design.  The software-only approach leaves passwords on the software level, which makes it vulnerable to hackers who can make remote attacks on the software.  Furthermore, there are practical limitations on an individual’s ability to remember complex passwords that need to be changed so often that a person just begins to remember the old one when protocols require a change.

Hardware Approach

A third solution relies on a standard chip, the Trusted Platform Module (TPM) that is embedded in nearly all enterprise-class laptops and BlackBerries but not in other common devices like those running Android and iOS.  The TPM was standardized by the Trusted Computing Group, a standards body created by some of the world’s largest software and hardware vendors, such as AMD, Hewlett-Packard, IBM, Intel, and Microsoft, who are now joined by more than 100 enterprises to implement Trusted Computing.

This approach moves beyond the software-only model, which stores credentials at the software level; instead, it places security credentials on a physical module.  This hardware approach is not vulnerable to software hacking, and it does not have the drawbacks of a security token.   However, it is not the perfect solution some vendors in the TPM market have heralded it as.

While complex and requiring physical access to the TPM, there is a hack that leaves security credentials vulnerable (read more about the TPM hack).  While not a great concern to some companies, this hack will certainly impact the effectiveness of the TPM approach for organizations handling highly sensitive or top secret data (e.g., CIA, NSA, military contractors, etc).  Additionally, this approach requires an organization to deploy software that will enable and manage the module (Wave Systems, for example, offers such software).  Finally, although this approach may have seemed like the golden ticket to securing network endpoints just a few short years ago, in today’s business landscape, a standard that does not support Android or iOS devices certainly cannot be considered standard or universal.

Conclusion – a Unified Approach

Each of these approaches has strengths and weaknesses, but firmly closing the vulnerabilities in enterprise network security will require a holistic approach. There is a need to provide secure access from a variety of endpoints to employees, customers and business partners.  A unified effort by software and hardware vendors to create a standard, similar to the efforts that standardized USB and HDMI ports, will likely be required.  This unified approach will provide standardization, give organizations flexibility, and prevent vendor lock-in.

Those who offer TPM solutions are heavily advocating adoption of the module across all platforms and devices.  This would offer a great financial opportunity for vendors already in the market.  The Trusted Computing Group has succeeded in standardizing the module in laptops, but it has been unable to convince newer mobile manufactures to install the module.  Some large enterprises such as PricewaterhouseCoopers (PwC) have implemented TPM, and, if other large organizations move to the TPM approach, it is likely that businesses will force mobile vendors to install the TPM.  At this point, most large organizations are issuing or allowing the use of non-BlackBerry devices (remember, for now only BlackBerries have the TPM as a standard application), so clearly there has not been a strong business community push towards requiring the TPM in mobile devices.

I suspect that companies will be reassessing their endpoint security approaches in the next year, and especially in light of the RSA attack and the current economic climate, they will seek a more secure and more economical approach.  It is likely that a future approach will at least in part rely on work already done by the Trusted Computing Group.