Outside the zone of safety

Every day, businesses worldwide face sophisticated threats to their data and communications networks.
While enterprises continue to invest heavily in hardening their IT infrastructures and enforcing comprehensive and constantly updated security policies against malicious code attacks, another in-house threat – the mobile workforce – is opening the floodgates to compromised enterprise data and corporate network contamination.

While mobile working provides commercial and operational benefits, enterprise security policies frequently suffocate the effectiveness and productivity of mobile workforce devices.

In this article, we will examine why best-of-breed software alone is unable to provide the mobile workforce and their laptops with the same level of security as office-based workers.

Two lines of defense in a corporate environment that is protected
Currently, organizations use a layered approach to anticipate, detect, and prevent threats from laptop attacks.
This is in addition to a centralized, unbending IT policy that trumps an individual’s control over his or her own laptop.
Due to the importance placed on corporate IT governance by IT departments, their primary method of enforcing organizational security policies effectively is through control of all networking components.

When laptop users connect to the Internet via the corporate network, they are protected by two lines of defense:

A comprehensive set of IT security appliances running secure and hardened operating systems, as well as security software such as firewalls, intrusion prevention/detection systems, antivirus, antispyware, antispam, and content filtering, all of which are fully managed by the corporate IT organization.
On the user’s laptop, the user installs and controls personal firewall and antivirus software.
Additionally, when laptops are contained within a secure corporate environment, the IT department of the organization can exercise complete and consistent control over (and visibility into) any device, which is a critical operational consideration. This means that the IT department can:

Consistently update respective laptops with data, policies, and other pertinent information.
Effectively monitor the entire network in terms of the status of all network components.

Outside the zone of safety
When a laptop leaves the enterprise-managed network, the two-line defense system breaks down, as the laptop is no longer protected by the corporate security appliances layer and is entirely dependent on the security software installed on the local operating system.

The roaming laptop is at risk of being attacked by nearby wireless and wireline devices (in hotels, business lounges, airports, WiFi at Internet Cafes, etc.).

These threats represent a threat that extends well beyond the scope of the individual laptop, as intrusive code may proceed to use the laptop as a platform for breaching corporate security once it returns to its base and connects to the network.

Reliance on only the best-of-breed software on the laptop is flawed for the following reasons:

Operating System Inherent Vulnerabilities – By definition, security software that runs on Windows is vulnerable to Windows-specific vulnerabilities, effectively exposing personal firewall and antivirus applications to malicious content attacks.
Unknown Threats – security software is designed to protect against known threats only. It may be too late by the time these threats are added to the knowledge base.
Immediate Damage – malicious content executes directly on the protected platform, rather than on a security appliance designed to filter and buffer the content.
Managing Security Levels – ensuring that all computers have the latest security updates installed and enforcing a unified security policy can be extremely challenging. When computers are on the front lines, these security flaws can have a catastrophic effect on the entire network. In other words, it is “all or nothing,” meaning that either the entire network is secured or it is not.

As a result, many organizations adopt stringent security policies that prohibit the majority of wireless networking options (significantly limiting user productivity and remote computing freedom), or impose stringent, costly, and difficult-to-enforce cleaning procedures for laptops returned from the “field.”

Mobile-optimized best-of-breed software
To address the current vulnerabilities in laptop security, an increasing number of CSOs have chosen to place computers behind a robust security gateway, typically a dedicated security appliance.
Unlike personal computers, these appliances feature hardened operating systems that lack security holes, “back doors,” or unprotected layers. They were created with a single objective in mind: to provide security.
Due to the fact that these security appliances are hardware-based rather than software-based, the following benefits accrue:
Cannot be uninstalled – security attacks frequently begin by attempting to uninstall or disable security software.
Software-based security solutions, as every software program includes a targetable uninstall option.
In comparison, appliance-based security cannot be removed due to the fact that it is hard coded into the hardware.

Memory that is not writable – solutions based on hardware manage memory in a restricted and controlled manner. Access to the memory of security appliances can be restricted, providing additional protection against attacks on the security mechanism.
Through the use of hardware, a comprehensive set of security solutions can be combined into a single device.
Additionally, hardware enables the coexistence of best-of-breed enterprise-class solutions and proprietary developments operating at both the lower and upper levels (e.g. packet and network level, application level etc.).

Additionally, hardware can alleviate the well-known tension between users and IT managers regarding users’ computing freedom.
On the one hand, users desire complete freedom when using computers, while IT managers strive to enforce security policies (e.g. banning the use of P2P software).
IT managers resolve the conflict between the user’s desire for computing freedom and the IT manager’s desire to control and enforce security policies by utilizing a security appliance.
Whereas with software, policy is embedded in the laptop or computer, with an appliance, security policies can be enforced externally to the laptop, allowing the user complete freedom within the secure computing environment.

To summarize, CSOs should consider layered security architecture on a hardware appliance to provide corporate-level security for laptops operating outside of a secure office environment.
A dedicated appliance can house all of the best-of-breed security software and reintroduce the two lines of defense that were previously available on office-based PCs.
By incorporating a security gateway, the damage is contained at the gateway in the event of a security breach.