the growing need for endpoint risk and operations ......(508) 482-0188. this esg white paper was...

WHITE

PAPER

The Growing Need for Endpoint Risk and Operations Management (EROM)

By Jon Oltsik

Senior Analyst, ESG

July, 2008

ESG WHITE PAPER


- i -

Copyright 2008, The Enterprise Strategy Group, Inc. All Rights Reserved.

Table of Contents Table of Contents..................................................................................................................................................... i Executive Summary ................................................................................................................................................ 1 The Evolving Endpoint ........................................................................................................................................... 1

Evolving Endpoints Carry Increased Risk ............................................................................................................. 3 Endpoint Security and Operations Management is Broken ............................................................................... 5 Introducing Endpoint Risk and Operations Management (EROM) .................................................................... 7 The Road to EROM ................................................................................................................................................. 9 The Last Word ....................................................................................................................................................... 11 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188. This ESG White Paper was developed with the assistance and funding of Symantec Corporation.

ESG WHITE PAPER


- 1 -


Executive Summary In most organizations, employees receive new PCs every 3 to 5 years, depending upon budgets and amortization schedules. In the past the differences between old and new systems were predictable hardware improvements like faster processors, more memory, and higher capacity hard drives. Yes, this cycle continues today, but changes based upon technology advances alone are only part of the picture. PCs have been joined by a growing army of other computing devices such as handhelds, smart phones, and consumer electronics to make up a new category called, endpoints. Endpoints are often mobile IP devices that can do a lot more than email and word processing. Great for users but what does this change mean to CIOs in terms of endpoint security and operations? This white paper concludes:

Endpoint evolution introduces new threats and operating challenges. Ever-connected IP-based endpoints are exposed to all kinds of potent threats while the data resident on these devices is constantly susceptible to malicious or accidental data breaches. Risks to these devices grow all the time while IT continues to handle endpoints with the same old status quo mechanisms or processes

Today’s endpoint security and IT operations tools are no longer effective. IT tends to manage endpoint security and operations with an excess of independent point tools and many desktop agents but this model has outgrown its usefulness. CISOs can’t get a complete picture of endpoint health or link remediation policies to security status or events. IT operations managers have to go from console to console to configure, patch, and backup systems. IT auditors have to piece together multiple reports to understand whether current controls are meeting regulatory mandates. Taken together, today’s endpoint security and operations management increases security risk while adding tremendous operating overhead – a lose/lose proposition.

Many organizations need a new model: Endpoint Risk and Operations Management (EROM). EROM is intended to integrate disparate endpoint agents and management tools into a common client/server architecture for all security and operating tasks. By bringing security, operations, and desktop support together, large organizations will be able to improve security, automate policies, reduce complexity, and simplify endpoint operations.

EROM projects will have phased deployments over the next few years. EROM is built as an architecture of integrated services precluding the need to “rip-and-replace” existing security and operations management tools. CIOs can choose an EROM strategy based upon pressing endpoint security and operations needs. For example, IT may choose to deploy EROM endpoint security in 2008 and then add patch management and vulnerability management capabilities at a later date. Once the initial deployment is completed, other functionality can be added by turning on agent functionality and licensing new services from vendors. This will lead to a direct relationship between EROM and IT benefits – as more EROM functionality is turned on, IT should be able to increase security, automate more processes, and decrease endpoint management resources.

The Evolving Endpoint A few years ago, PCs resembled the IT equivalent of vanilla and chocolate ice cream. Most employees were assigned a desk side tower system while a small subset of “road warriors” received more expensive laptop systems so they could work on airplanes, or connect to the corporate network using 54 kb modems. At the same time confidential information remained tightly controlled behind locked server closets and tightly controlled remote application access. Today systems are spread across a range of desktop and laptops with information flowing between easily accessed departmental servers, network shares and web servers.

ESG WHITE PAPER


- 2 -


Looking back, the situation described above seems simple and serene. In 2008, the word “endpoint” has replaced the more descriptive “PC” moniker to encompass a host of new types of mobile and non-mobile devices like smart phones, PDAs, and portable entertainment systems. And when it comes to new endpoints, form factor is just the tip of the iceberg. CIOs face a number of other endpoint changes including:

Unprecedented mobility. Laptop computers used to belong to an exclusive club of sales representatives and executives but no more. In 2007, laptops accounted for over half of all new corporate PC purchase. Furthermore, laptops are the fastest growing sector of the PC market, with over 30% unit growth worldwide. Many IT executives view mobility as a double-edged sword. On the plus side, mobility can bolster productivity by enabling remote workers and telecommuters to access corporate assets and get more work done from the road. Alternatively, mobile laptops traveling from New York City to Katmandu are harder to manage and secure.

Ubiquitous connectivity. The language spoken by today’s endpoint devices is TCP/IP so connectivity is as simple as finding a local Ethernet port, wireless access point or cable modem. According to the Pew Internet Project (pewinternet.org), 77% of Internet users (i.e. about 55% of all Americans) have broadband access from their homes and approximately 52% of Internet users access the Internet over wireless networks. Endpoint pervasiveness has made the Internet an essential business and personal tool. Indeed, 44% of Americans say that an Internet outage would pose a serious disruption to their day-to-day lives (source: Burst Media). Today’s workers are connecting to business systems and downloading sensitive data by day and then spending hours on sites like Facebook, MySpace, Yahoo, and YouTube at night.

Multiple devices per user. According to a recent study sponsored by Unisys, just under half of all enterprise workers use multiple computing devices each day to get their jobs done. This is especially true in developing markets like South America, where 58% of all workers use multiple computing devices each day. Again, this situation produces benefits and concerns. Multiple devices per user can boost productivity but also increases IT complexity and requires more support resources.

FIGURE 1. THE MANY AREAS ASSOCIATED WITH IT CONSUMERIZATION

Consumerization of IT

CIO

Users spend time on

new consumer sites

Users bring multiple

devices to work

IT develops new applications

with consumer-like functionality

SOA

Source: Enterprise Strategy Group, 2008

ESG WHITE PAPER


- 3 -


In addition to these developments, mobile ubiquitous IP endpoints are also leading to the “consumerization” of IT (see Figure 1). For the first time, consumer-oriented computing around social networking, on-line shopping, and collaboration is driving cutting edge application functionality, offering features such as blogs, multimedia, RSS, and wikis for user-based customization. Users want the ability to access these sites and services anywhere at anytime from any device. Taken together, “consumerization” will have a profound effect on endpoint security and IT operations. How? Endpoints will be exposed to new types of browser-based content, immature protocols, and multiple file types opening new attack vectors and vulnerabilities. From an operations perspective, consumerization will lead to new types of Web 2.0 and Service-Oriented Architecture (SOA) application development efforts often deployed on virtual servers – adding IT complexity and new operational tasks. Little wonder why ESG Research indicates that these IT consumerization trends will impact their IT management strategy over the next 24 months (see Figure 2).

FIGURE 2. THE IMPACT ASSOCIATED WITH IT CONSUMERIZATION

To what extent do you expect these technologies to impact your IT

management strategy over the next 24 months? (Percent of respondents)

23%

31%

38%

40%

37%

38%

30%

27%

20%

7%

5%

4%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

SOA-based applications

(N=446)

Web 2.0 (N=454)

Server virtualization

(N=530)

Extensively Moderately Limited Basis Not at all/Don't know


Evolving Endpoints Carry Increased Risk Few technical professionals would debate the benefits associated with the evolution of the endpoint. The combination of mobility, network ubiquity, and device proliferation helps increase employee productivity, improve customer and employee satisfaction and lower operating costs. Unfortunately, endpoint evolutionary benefits aren’t free. Mobility, connectivity, and device propagation act as a perfect host for a growing number of infectious and opportunistic threats. Organizations face increasing risks because:

Mobile device proliferation complicates policy decisions. In many large organizations, employees, contractors, business partners, customers, and suppliers access mission-critical IT assets using a variety of devices from LANs, WANs, VPNs, and public networks. This poses a variety of challenges and risks. Should users be granted the same access rights regardless of their location or device type? How do security policies change when dealing with a non-employee endpoint? How can IT scan, backup, configure, and secure employee endpoints when they rarely have physical access to the system? At best, distributed endpoints create a matrix of complex policy and management decisions. At worst they open the network to an onslaught of constant threats. In an era highlighted by regulatory compliance and IT governance, this issue is particularly vexing. How can IT create and monitor access controls when endpoints of all shapes and sizes access IT assets from within the building or the other side of the globe?

ESG WHITE PAPER


- 4 -


Endpoint-resident data increases the risk of a data breaches. Users don’t think twice about storing confidential data in a Microsoft Word document or sending it to other employees via email. The problem with this is that it creates abundant copies of confidential information on endpoint devices exacerbating the risk of a data breach that may carry the cost and embarrassment associated with public disclosure. According to the Privacy Rights Clearinghouse, 114 of the 332 publicly-disclosed breaches (i.e. 35%) reported in 2007 were the results of a lost or stolen laptop, PC, portable media (i.e. CD, DVD, etc.) or external drive resulting in the exposure of more than 1.7 million private records (source: privacyrights.org). As of May 1, 2008, at least 42 U.S. states, the District of Columbia, Puerto Rico and many countries around the world have enacted legislation requiring notification of security breaches involving personal data. ESG estimates that a data breach can cost of $30 to $150 per record for costs like customer notification, call center staffing, and credit protection services depending upon its geographical impact – the wider the area, the costlier the breach. With these figures as a baseline, year 2007 data breaches associated with lost or stolen laptops, PCs, portable media, and external drives led to unexpected costs of between $51 million and $2.6 billion in 2007 alone (see Figure 3).

FIGURE 3. DATA BREACH FACTS RELATED TO LOST OR STOLEN ENDPOINTS, MEDIA, AND DRIVES

Number of data breaches reported by the Privacy Rights Clearinghouse in 2007

332

Number of data breaches associated with a lost or stolen laptop, PC, or external drive

115

Percentage of data breaches associated with a lost or stolen laptop, PC, or external drive

35%

Number of private records exposed by data breaches associated with a lost or stolen laptop, PC, or external drive in

2007

1,725,000

Minimum cost Percentage of data breaches associated with a lost or stolen laptop, PC, or external drive (calculated at $30

per record)

$51,750,000

Maximum cost Percentage of data breaches associated with a lost or stolen laptop, PC, or external drive (calculated at $150

per record)

$2,587,500,000

Source: Privacy Rights Clearinghouse and the Enterprise Strategy Group, 2008

Ubiquitous Internet connectivity exposed endpoints to a variety of threats. With so much Internet-based activity, today’s endpoints live in a very dangerous neighborhood, populated with botnets, software vulnerabilities, malicious code, SPAM, and phishing attacks that grow more insidious and dangerous all the time. The latest edition of the Symantec Internet Security Threat Report is full of frightening security statistics bound to prompt CISOs to reach for the aspirin bottle (see Figure 4). Unfortunately, the future will surely bring more devices, more web-based applications, more IP services – and more frequent and treacherous Internet security threats.

ESG WHITE PAPER


- 5 -


FIGURE 4. SUMMARY OF INTERNET SECURITY THREATS, 2H 2007

Threat Number Comment

Average number of active bot-infected computers per day

61,940 Up 17%

Number of documented vulnerabilities

2,134 73% of vulnerabilities classified as “easily exploitable”

Percentage of vulnerabilities affecting web applications

61% Maps to growth in application-layer attacks

Number of malicious code threats reported

500,000 Up 136%

Percentage of top 50 malicious code variants that posed a threat to confidential data

68% Combination of Trojans, worms, viruses, web page modifications, etc.

Number of unique phishing attacks

Over 207,000 Up 5%

Spam as a percentage of all email traffic

71% Up 16%

Source: Symantec Internet Security Threat Report (volume XIII) and the Enterprise Strategy Group, 2008

Endpoint Security and Operations Management is Broken There is a causal relationship at work within the new endpoint model. As endpoints multiply and act as IP network appendages, they become exposed to an abundance of threats that could lead to system compromises, data breaches, or policy violations on individual endpoints or across the entire network. Of course, these concerns shouldn’t be a surprise to anyone – endpoint and threat evolution is nothing new. Given this, it would be natural to surmise that CIOs have already implemented the right policies, defenses, and tools to manage endpoints while protecting critical IT assets. Unfortunately, this simply isn’t the case. ESG sees glaring endpoint security and operational deficiencies because:

Endpoint security and operations live in separate silos. Managing endpoint security and operations like threat detection, vulnerability scanning, backup/restore, and Network Access Control (NAC) can require multiple software agents, dozens of products, and hundreds of servers (see Figure 5). In most cases, management domains remain autonomous with limited integration for data analysis or command-and-control. This leads to an inefficient endpoint management patchwork requiring esoteric administrator skills, redundant processes, and significant management overhead – no match for the exponential growth of endpoints and threats.

ESG WHITE PAPER


- 6 -


FIGURE 5. ENDPOINT SECURITY AND OPERATIONS STOVEPIPES


Security remains focused on technical infrastructure rather than critical data. Typical endpoint security tools like antivirus, anti-spyware and firewalls were designed for network security or malicious code protection. Yes, these defenses are still necessary, but IT needs things like Data Loss Prevention (DLP), Full-disk encryption (FDE), and regular endpoint backup to protect the confidentiality, integrity, and availability of confidential data that regularly flows in and out of endpoint devices. Recent ESG Research data on system backup demonstrates that information-centric safeguards are well behind where they need to be. While servers are regularly backed up, less than half of all desktops and laptops receive the same type of data protection (see Figure 6). Given that backup is the most mature of these information-centric defenses, one can only assume that a fraction of vulnerable systems are currently instrumented with DLP, FDE or other information-centric security safeguards.

FIGURE 6. LESS THAN HALF OF ALL PCS ARE BACKED UP

Which of the following devices are currently protected by the backup

policies and procedures at your present location? (Percent of

respondents, N = 89, multiple responses accepted)

38%

46%

97%

0% 20% 40% 60% 80% 100% 120%

Laptops/Mobile Devices

Desktops

Servers


Endpoint

Security

Vulnerability

Scanning

Asset and

Configuration

Mngmt.

DLP

Backup/

Restore Patch

Mngmt.

NAC

Endpoint

Security

Vulnerability

Scanning

Asset and

Configuration

Mngmt.

DLP

Backup/

Restore Patch

Mngmt.

NAC

ESG WHITE PAPER


- 7 -


IT operations and security policies are difficult to monitor and enforce. With so many diverse processes and tools, it is difficult if not impossible to assess the state of endpoint devices, build consistent endpoint configuration images, or produce reports and metrics for IT best practices and compliance requirements. This deficiency is felt throughout IT. Operations managers have difficulty keeping up with patch and security configurations policies. Security administrators can’t ensure that endpoints accessing the network can be considered “healthy.” Access controls must be individually built on custom rules at edge switches, wireless access points, remote access systems, and firewalls. IT auditors have to piece together disparate reports and offer best guesses as to whether endpoints are compliant or not. These monotonous issues add a tremendous amount of overhead and risk across the entire IT infrastructure.

The aggregate situation can be summarized as follows: Endpoint devices and threats targeting the data on these systems are growing at an exponential rate while endpoint risk and operations management continues to plod along with arithmetic growth. This imbalance results in an operations and risk management gap that grows wider every day (see Figure 7). At best, this gap increases operating costs and risk. At worst, it could lead to catastrophe. When a mis-configured endpoint introduces an unknown vulnerability that ultimately leads to a data breach, the Board of Directors will have little sympathy for IT operations and security administrator challenges.

FIGURE 7. THE GROWING ENDPOINT SECURITY AND OPERATIONS GAP

Time

Rate of

change

Rate of endpoints and

web threats evolution

continues to increase

Endpoint security and

operations processes and tools

improve at a modest pace annually

Endpoint security and

operations gap grows

each year


Introducing Endpoint Risk and Operations Management (EROM) Current disconnected endpoint security and operations management is no match for the rapidly changing world of endpoint devices and sophisticated threats. What’s needed is a more integrated approach that ESG calls Endpoint Risk and Operations Management (EROM). EROM addresses today’s shortcomings with:

ESG WHITE PAPER


- 8 -


A common architecture. EROM is based upon an integration of endpoint security, operations, and management technologies, a common endpoint data repository, and multiple EROM services (see Figure 8). Integrated endpoint agents continuously collect and publish data on endpoint health, configuration, and data protection status and communicate this information to the EROM system upon connection. Various EROM services subscribe to these data updates, compare status information to endpoint policies, and then take appropriate actions. When a sales manager returns from a 2-week family vacation, her laptop immediately tells the EROM system that its patch level, security signatures, and backups are outside of policy guidelines, prompting the EROM systems to automatically begin to update the configuration and perform a system backup as a background service. In this way, EROM services can be managed and executed via universal policies and monitored via a single dashboard.

FIGURE 8. THE EROM ARCHITECTURE

Middleware Bus

Common console and reporting

Integrated security

and operations

Management on each

desktop

Common EROM data

collection and repository

Backup

Patc

h m

anagem

ent

NA

C

DLP

Asse

t a

nd

Configura

tion

managem

ent

Vuln

era

bili

ty

scannin

g

Endpoin

t

Security


Layered defenses. EROM adds information- and identity-centric safeguards like DLP, device controls, and policy-based enforcement to traditional antivirus, IDS/IPS, anti-spyware, and firewall defenses. To support device identity, the EROM agent includes an 802.1X supplicant and plugs into NAC architectures through standard protocols like the Trusted Computing Group’s Trusted Network Connect (TNC) and Microsoft Network Access Protection (NAP). This addition lets organization create access policies for specific endpoints based upon environmental factors such as network location and time of day. Furthermore, EROM provides information-centric defenses for data classification, DLP, encryption, and backup/restore. These enhancements should help reduce the risk of a data breach.

Integrated policy management. One of the biggest benefits of EROM is common policy management and enforcement across all endpoint security and operations tasks. For example, EROM will enable IT

ESG WHITE PAPER


- 9 -


managers to build a standard policy for all endpoints defining which endpoints are granted network access (i.e. NAC) and how often each endpoint is scanned for vulnerabilities, patched, and backed up. EROM policies can also be easily changed or customized. When a lead engineer is working on a critical project, his endpoint may be backed up several times a day rather than once every 48 hours. By integrating these functions, IT can eliminate multiple stand-alone endpoint security/operations tools, automate operations, and greatly reduce support costs.

Aggregated data analysis and reporting. With EROM, all information about endpoint status, policy compliance, and usage is consolidated in a single place. This information can then be used for all kinds of reporting needs. IT can integrate endpoint configuration status with its CMDB as part of ITIL best practices. Compliance auditors can assess the effectiveness of controls as they relate to regulations like Sarbanes-Oxley or PCI DSS. Financial analysts can track and amortize endpoint assets. The possibilities are endless.

EROM has some obvious IT benefits:

From a security perspective, the integration of endpoint security activities should provide CISOs with a more comprehensive picture of endpoint security enabling more active and targeted remediation activities with fewer omissions and errors.

IT operations should also improve as administrators concentrate around centralized policy management and administration rather than a variety of point tools. These advantages alone make EROM extremely attractive but EROM can also help organizations in several other ways as well.

For example, EROM can help ease IT planning and technology migrations. When Acme Corporation wants to move its order entry personnel from physical to virtual endpoints, it will have a complete asset/configuration inventory and activity history it can use to assess server and networking needs. Finally, EROM can also help organizations accelerate business initiatives. When Acme acquires ABC Company, it can quickly extend endpoint policies to new employees without disrupting business operations.

The Road to EROM EROM should not be thought of as yet another “rip-and-replace” grandiose IT project. Quite the contrary, EROM’s integration of security and operations services means that the model can be built over time. =organizations may start by deploying the EROM endpoint agent and using it for a specific task like security, backup, or configuration/patch management. Over time, CIOs can retire legacy stand-alone security and operations management applications one-by-one as licenses expire or products are due for a major upgrade. In this way, EROM adds value right away while the overall scope of EROM builds over time. Since EROM can improve security while lowering operating costs and resources, prudent CIOs should begin planning for a migration to the new model that more effectively addresses today’s endpoint needs with a detailed and phased project plan. Organizations can begin this effort by:

Evaluating immediate needs. Most companies already have some pressing endpoint initiative scheduled such as NAC, DLP, or endpoint encryption. Rather than buying yet another point tool, CIOs can use these requirements as an opportunity to begin their EROM migration project. By addressing a tactical need first, organizations can get an EROM platform in place for future strategic needs while receiving an immediate security, IT operations, and business benefit.

Assessing security and operations processes and costs. Since security and operations functions have grown up in silos it is difficult if not impossible for IT managers to define appropriate IT processes and total cost necessary to support endpoints. Assign an IT analyst to help piece together this puzzle. Who determines endpoint policies? How many independent IT groups and people are involved? Do these folks collaborate or work independently? Are tools integrated or completely separate? Can IT

ESG WHITE PAPER


- 10 -


groups detect and respond to problems in a timely manner? What type of calls is the help desk receiving? Compile a report that answers questions like these and look for areas where EROM can provides short- and long-term improvements. Think of this exercise as a blueprint for the EROM rollout and ROI metrics definition.

Mapping EROM planning with IT governance needs. According to ESG Research, many large organizations are embracing IT best practices models such as CoBiT, ISO, Six Sigma and ITIL that provide formal methodologies for things like asset management configuration management, and incident management (see Figure 9). IT managers in this position should assess their IT best practices progress and goals against EROM capabilities. Ultimately, EROM could complement IT best practices accelerating the benefits of each initiative.

FIGURE 9. LARGE ORGANIZATIONS ARE EMPLOYING IT BEST PRACTICE MODELS


Researching vendor offerings. The impending EROM blitz will radically change the competitive landscape. To bolster their offerings, security vendors will look to acquire or partner with endpoint operations companies and vice versa creating marketing rhetoric that is sure to confuse end users. Look for vendors that: 1) Have integrated endpoint agents, 2) Already have a wide array of endpoint security and operations technology, 3) Can present a detailed roadmap that outlines future EROM plans, and 4) Have the financial and technical resources to backup their PowerPoint slides. Users may also need help in transitioning from their current security and operations model to EROM. Look for vendors who support products with an array of professional and managed services in order to maximize your options.

Since EROM combines tools focused on endpoint security and operations, few vendors come to mind as potential leaders in this burgeoning space. One exception here is Symantec Corporation. The Symantec Open Collaborative Architecture is creating greater interoperability between Symantec solutions and provides partners and customers with the ability to integrate their applications with the Symantec platform. The Web services-based architecture provides data sharing and IT automation to streamline process execution and reduce the cost and risk of IT ownership.

ESG WHITE PAPER


- 11 -


The Last Word The onset of EROM follows a common IT pattern. As IT devices proliferate, it becomes difficult to manage the sprawl using a series of individual point tools. This leads to more embedded functionality and tools consolidation over time. EROM goes a bit beyond this as it amalgamates endpoint security and operations into a single toolbox but the goals here are identical to those in the past: Decrease complexity and increase efficiency. EROM will certainly meet these goals. The irony with EROM is that deployment may be limited by IT culture rather than technology restrictions. IT operations, security, and desktop support tend to act as independent groups with their own budgets and methodologies. Since no one “owns” EROM or has an EROM budget, this could preclude implementation. ESG encourages IT and security managers to work through these artificial boundaries by creating a cross-functional EROM project team, providing leadership and communications tools for the project, and link compensation to EROM metrics. This should encourage collaboration throughout the EROM rollout.

20 Asylum Street

Milford, MA 01757

Tel: 508-482-0188

Fax: 508-482-0218

www.enterprisestrategygroup.com

the growing need for endpoint risk and operations ......(508) 482-0188. this esg white paper was...

Documents