Taking Control

For the uninitiated, the only relevance the term end-point security will likely have is that it will represent the end-point on the list of things marked: ‘things I don’t know about or care about’. For those of us in the know however—amidst an explosion in the use of portable peripherals suchas iPods, USB keys and mobile phones amongst both students and staff alike—end-point security has not so much snuck onto the agenda, but simply smashed the door down, steam-rolled in, and announced itself as yet another security concern of which we all need to be aware.

So what is it exactly?

Well, before we get into the technicalities, the specifications and the requirements, let’s begin with a few startling stats to liven things up. If I was to ask how many unsolicited USBs, iPods and mobile phones are connected to your fully secure network, your answer may range from ‘I don’t know’, to ‘I don’t care’ to the slightly more acceptable ‘why should I care?’Funny you should ask.

When carrying out ‘proof of concept’ audits, we’ve found that in just two weeks, over 40GB of media across 5560 separate files was transferred by just 80 people. This included 30 illegally ripped films, of which the largest was over 3GB!In a separate audit we found a total of 18GB transferred in just 2 weeks, which included over 300 MP3 songs, illegally ripped satellite navigation software as well 1,500+ unencrypted documents.

Clearly this is a problem which needs addressing. However without the adequate solution, pinning down the source and scale of this type of activity can be almost impossible.

You see, as the evidence above demonstrates endpoints are basically the frontier of your network; the doorway to every file on your server; the hub of all activity in and out of your otherwise secure network. And for that reason, it is essential that you give them due care and attention. Just as worrisome is the potential threat from the rise in malware through such unrestricted data transfer. Since the 2007, the rise in the number of unique examples of malicious software has risen 500% to a staggering 5.49milion. These can wreak havoc with internal settings, put confidential files at unnecessary risks, and generally waste valuable resources, time and money.

The challenge of designing a rigorous enough security system to deal with such threats, whilst ensuring that both students and staff alike have the freedom to work is becoming an increasingly difficult balancing act. Here at Equanet, we’re able draw a line between both freedom and protection, whilst being aware of the importance of both.

So, what can you do about it?

Well, the breadth and depth of your chosen solution can be as technical—and more importantly—as effective as you like. The technology is available to ensure you can deal with this burgeoning issue in the best way possible. Of course, you could try the age-old tried and tested ‘ignorance is bliss’ policy. Unfortunately, you may find out later rather than sooner that this is none too effective and none too blissful. Alternatively, you could try implementing an overtly stringent access policy which seeks to defunct every single point of access to every single student and member of staff, regardless of the benefits or necessity of these devices. Once again though, this solution is unlikely to meet your requirements.

Surprisingly, whilst these opposing solutions are neither desirable nor effective, paradoxically, they both offer benefits that we think are worthwhile. With the former, you will have complete freedom to transfer data and use any device whenever needed. A good start. With the latter, you’ll have peace of mind in knowing there will be no security breaches. Even better. However, it is only when paired together that we think these benefits are of any use.

What solutions are available?

With Lumension Device Control, you can enforce campus-wide usage policies for removable devices and media. This five-step programme can allow complete end-to-end protection whilst ensuring you have the freedom to work:

1. Discover - identify all removable devices that are currently or have ever been connected to your endpoints through the use of a “learning” mode that allows you to collect information without disrupting business.

2. Assess - define rules at both default and machine-specific levels for groups and individual users with regards to device access by class, model and/or specific ID and uniquely identify and authorize specific media. These permissions can be linked to the user and user group information stored in Microsoft Active Directory or Novell E-Directory.

3. Implement - enforce device and data usage policies by: file copy limitations (amount per day, time of day) and file type filtering. You can also enforce the encryption of data moved onto removable devices and apply permissions to specific groups of endpoints, ports, devices and users (both on- and off-line), including scheduled / temporary access.

4. Monitor - monitor the effectiveness of device and data usage policies in real time and identify potential security threats by logging all device connections, recording all policy changes and administrator activities and tracking all file transfers by file name and content type. You can even keep a copy of every file that is transferred to or from a removable device using the patented bi-directional shadowing technology.

5. Report - create both standard and customized reports on all device and data activity showing allowed and blocked events, which can be saved into a repository, shared via email, and imported into 3rd party applications. Detailed forensic reports and comprehensive auditing capabilities enable you to demonstrate compliance with internal security policies and external government and industry regulations such as SOX, HIPPA or PCIDSS.

Who is actually using this solution?

With 1,000's of deployments already, the Lumension solution has spread rapidly across the both private and public sector alike. One such example is that of Stortford College in Hertfordshire.

The college is a co-educational independent day and boarding school. Founded in 1868, they currently have a total of 1,000 students in its Pre-Prep, Junior and Senior Schools. High priority is given to providing staff and pupils with access to the latest IT resources.

The Challenge

As a college that prides itself on making education an exciting, uplifting and liberating experience, Information Technology is used extensively to enhance teaching and learning. The staff positively encourage its students to explore new technologies as it believes that using, experiencing and experimenting with technology are some of the best ways of learning.

While welcoming this approach, the college's IT department is very aware of the potential management, stability and security issues introduced when any devices, either active or passive, are able to be attached to a network. They were understandably concerned about students using USB devices such as large external hard drives and PDA’s without having the necessary controls in place. Although they have never had to deal with deliberate misuse of IT resources, the IT department wanted to ensure that it was not complacent in this area going forward.

The starting point for management of endpoint security is to know what you are managing said Stephen Bacon, Head of IT at the College. We need to know what is being attached and what is coming on and going off our network. Without this information you cannot know whether you have a problem or not. The college estimates that about 400 pupil-owned USB devices are regularly connected to the network. Stephen Bacon said: We have had no problems so far with students using the school’s network for anything other than legitimate work. However, as we encourage the students to make more use of IT resources in lessons, we wanted a solution that would enable us to manage and audit the use of USB devices on the network in real time. In this way, if a student were to use the network as, say, a music sharing system for their MP3 player, we could put an immediate stop to this. We also wanted to ensure that no malware was introduced on to the network by pupils’ USB devices.

Bacon continues: Finally, we needed to be able to ensure that we don’t allow pupils unwittingly to breach copyright laws by downloading, for example, copyrighted maps, or server based applications, onto their USB devices.

The school set out to find an endpoint security solution that would meet these requirements and would allow them to enforce pre-agreed policies if necessary.

The Solution

The college began its search for the right endpoint security product by doing some Web research. The independent reports and product reviews that they found on the Web all pointed to Lumension Device control as being the best product of its type for securing USB ports. The most influential report, a comparison of device management products called ‘Removable Device Security’ and prepared by infrastructure and security consultancy Plan-Net Services, concluded that “Lumension Device control is the most appropriate choice for a medium to large enterprise requiring maximum peace-of-mind.”

By employing a white list approach, Lumension Device control enables only authorised devices to connect to a network, laptop or PC, facilitating security and systems management, while providing the necessary flexibility to institutions of any size. It enables administrators to quickly establish and enforce device control policies by rapidly identifying devices and then assigning permissions at a high level or all the way down to specific application per users, user groups or even a particular computer.

The college also wanted to secure all 320 PCs on its network, starting with the machines in the six IT labs and libraries, which are used by students in the pre-prep, junior and senior schools. The second phase of the roll-out would be to secure the PCs in all of the classrooms.

The Benefits

 Bishop’s Stortford College now has peace of mind that the USB ports on the school’s PCs are all being used for legitimate purposes.

“Since the deployment, we feel so much more comfortable that we know what is going on with our USB ports. We ask every student to sign a code of conduct which includes guidance on the use of USB devices on our machines and we can now check at any time of the day what is coming on and off the pins. Lumension’s easy-to-use, yet granular, reporting facility means that we can continually monitor every machine to ensure that our acceptable use policy is being upheld, and if it isn’t then we can take steps to enforce the policy. I’m sure we’ll never need to do this, but we need peace of mind – and that’s what Lumension gives us. ” — Stephen Bacon

What can you do next?

We can set up a 30 day trial, with no software charge. This will help you quickly and easily identify potential issues on a zero risk basis. The trial will give you a complete view of all network activity, including frequency and volume of data transfers, a breakdown of each users specific activity, including the number of times an USB stick, iPod® or mobile phone was used. The solution can reduce these occurrences and therefore the propensity of the end user to introduce Malware to their PC, as well as providing an encrypted, managed platform to allow secure transfer and transport of data.

Summary

Policy Enforced Encryption for Removable Storage

Centrally encrypts removable devices (such as USB memory drives) and media (such as DVDs/CDs), plus enforces encryption policies when copying to devices/media.

Data Copy Restrictions

Restricts the daily amount of data copied to removeable devices and media on a per-user basis; also, limits usage to specific frames/days.

File Type Filtering

Controls files types that are moved to and from revmoable devices (such as USB sticks) and media (such as DVDs/CDs) on a per-user basis.

White list / “Default Deny”

Assigns permissions for authorized removable devices and media to individual users or user groups; by default, devices/media/people not explicitly authorized are denied access.

Temporary / Scheduled Access

Grants users temporary / scheduled access to removable devices/media, used to graph access ‘in the future’ for a limited period.

Context-Sensistive Premissions

Applies different permissions when the endpoint is connected to teh network, when it is not, and/or regardless of connection status.

Centralized Management / Administrators Roles

Centrally define and manager user, user groups, computer and computer groups access to authorized removable devices / media on the network; by defaul, those devices / media / peole not explicitly authorized are denied access.

Role Based Access Control

Assigns permissions to individual users or user groups based on their Windows Active Directory or Novell eDirectory identity, both of which are fully supported.

Tamper-proof Agent

Agents are installed on every endpoint on the network, and are protected against unauthorized removal - even by authorized (local) administrators. Only (enterprise) administrators may activate this protection.

Flexible / Scalable Architecture

Provides organization-wide control and enforcement using scalable client-server architecture with a central database.

To set up your trial, or to speak to your account manager please call 0844 871 2709.