Holistic Endpoint Security Across Devices
Key Points
- Endpoint security is essential because strong identity measures like multi‑factor authentication are meaningless if the device they run on isn’t trusted or is compromised (e.g., jailbroken).
- An “endpoint” includes a wide range of hardware—from servers and desktops to laptops, mobile phones, and increasingly IoT devices and household appliances—any device that can connect to the corporate network.
- The traditional divide between business‑only and personal‑only devices is largely a myth; employees regularly use the same devices for both work and personal purposes, and even home‑based servers or appliances can become part of the corporate attack surface.
- Each type of endpoint introduces its own set of vulnerabilities, so architects must adopt a holistic view that secures every device to reduce the overall attack surface.
Sections
- Understanding Endpoint Security Fundamentals - The speaker introduces endpoint security by defining endpoints—including servers, desktops, laptops, mobile devices, and IoT—and explains why securing these devices is essential for trustworthy identity and access management.
- Complexity of Multi-OS Endpoint Management - The speaker highlights how the diversity of operating systems and device types increases security complexity, necessitating coordinated endpoint security controls and unified management practices.
- Automated Asset Discovery & Policy Enforcement - The speaker outlines a need for a system that can inventory all hardware and software assets—highlighting known and unknown components—and automatically enforce organization-wide security policies such as allowed software versions, patch compliance, and password requirements.
- Defining BYOD Security Programs - The speaker distinguishes well‑defined versus poorly‑defined BYOD initiatives, arguing that only a clear, consent‑driven policy can meet security needs and prevent unsanctioned device and cloud usage.
- Guidelines for Approved Devices and Apps - The speaker explains how organizations should restrict and monitor hardware, applications, and cloud services by specifying approved configurations and guiding users toward compliant choices rather than simply forbidding them.
Full Transcript
# Holistic Endpoint Security Across Devices **Source:** [https://www.youtube.com/watch?v=Njqid_JpqTs](https://www.youtube.com/watch?v=Njqid_JpqTs) **Duration:** 00:14:10 ## Summary - Endpoint security is essential because strong identity measures like multi‑factor authentication are meaningless if the device they run on isn’t trusted or is compromised (e.g., jailbroken). - An “endpoint” includes a wide range of hardware—from servers and desktops to laptops, mobile phones, and increasingly IoT devices and household appliances—any device that can connect to the corporate network. - The traditional divide between business‑only and personal‑only devices is largely a myth; employees regularly use the same devices for both work and personal purposes, and even home‑based servers or appliances can become part of the corporate attack surface. - Each type of endpoint introduces its own set of vulnerabilities, so architects must adopt a holistic view that secures every device to reduce the overall attack surface. ## Sections - [00:00:00](https://www.youtube.com/watch?v=Njqid_JpqTs&t=0s) **Understanding Endpoint Security Fundamentals** - The speaker introduces endpoint security by defining endpoints—including servers, desktops, laptops, mobile devices, and IoT—and explains why securing these devices is essential for trustworthy identity and access management. - [00:03:06](https://www.youtube.com/watch?v=Njqid_JpqTs&t=186s) **Complexity of Multi-OS Endpoint Management** - The speaker highlights how the diversity of operating systems and device types increases security complexity, necessitating coordinated endpoint security controls and unified management practices. - [00:06:10](https://www.youtube.com/watch?v=Njqid_JpqTs&t=370s) **Automated Asset Discovery & Policy Enforcement** - The speaker outlines a need for a system that can inventory all hardware and software assets—highlighting known and unknown components—and automatically enforce organization-wide security policies such as allowed software versions, patch compliance, and password requirements. - [00:09:18](https://www.youtube.com/watch?v=Njqid_JpqTs&t=558s) **Defining BYOD Security Programs** - The speaker distinguishes well‑defined versus poorly‑defined BYOD initiatives, arguing that only a clear, consent‑driven policy can meet security needs and prevent unsanctioned device and cloud usage. - [00:12:21](https://www.youtube.com/watch?v=Njqid_JpqTs&t=741s) **Guidelines for Approved Devices and Apps** - The speaker explains how organizations should restrict and monitor hardware, applications, and cloud services by specifying approved configurations and guiding users toward compliant choices rather than simply forbidding them. ## Full Transcript
Welcome back to the Cybersecurity Architecture Series.
In the previous videos, I talked about some of the fundamentals of cybersecurity.
And then in the last video, we started a seven part series on the various domains of cybersecurity.
In particular, last time we talked about identity and access management, which I said is the new perimeter.
Well, all of that stuff, for instance, multi-factor authentication that we do in the IAM space depends on us having a trusted platform that it's coming from.
It won't matter how strong the biometric is, if it's coming from a jailbroken device.
So I need to be able to secure that to make sure that that endpoint is in fact secure and can be trusted.
So today we're going to talk about endpoint security.
First off, what is an endpoint?
What do I mean by that?
Well, it involves a lot of different things, as you see here.
For instance, from a hardware perspective, it involves different platforms.
It could be a server, although a lot of times people skip over that and assume that's handled by the server group.
Well, it can be.
but in fact, I want to think about this in much more holistic terms.
I want to see the server as a computing platform, someone's desktop system, a laptop system, that they have a mobile device.
And in fact, we need to also consider IoT, that is, the Internet of Things.
All of the stuff that is now getting computing capability built into it that we wouldn't necessarily consider a computing device in the past.
You can see here we pictured it as a camera, but it could be a lot of other things.
It could be household appliances, for that matter.
So these all are the hardware platforms that in fact are on our systems;
they're on our networks, and in some cases we're coming into the corporate network from those.
Another thing to consider.
So while along this axis, we've got varying hardware platforms, we've got also this sort of a continuum between business use of these devices and personal use.
And in fact, I'll tell you that business and personal, there are a few people that have servers in their homes,
and there are a lot of people, of course, that have mobile devices they use for work, for business.
So the idea that there's a distinction between business and personal, I'd say that's largely a fiction anymore.
People are using all of these devices in all cases.
And again, the home appliances on the home network, which then connects to the corporate network.
So these are all part of the scope that we have to consider as an architect.
I like this term holistic.
I want to keep staying with holistic views and look at all of the endpoints that are out there.
Because in fact, the other thing that every single one of these is doing is it's contributing to our attack surface.
This bad guy--every one of these platforms represents another way that he can come in and potentially attack us.
Each one of these will have different vulnerabilities, and some of them, like these devices, maybe we handle the kid and let them play games with.
This guy will love that.
It makes it even easier for him to attack the expanding size of the perimeter.
The expanding size of the attack surface is, in fact, creating a lot of challenges for us.
And this is looking at it strictly from a hardware standpoint.
There's also a software view of all of this, and that is across these different devices.
I've got lots of different operating systems to deal with.
We've got Windows, MacOS Linux, Unix, we've got mainframes, we've got mobile devices,
we've got all kinds of others and some of these IoT devices, who knows what kind of operating system is running on those?
Every single one of these create more complexity.
And more complexity?
Remember, complexity is the enemy of security.
So all of this endpoint mess is why, in fact, we need to do controls.
Okay, we just talked about what is an endpoint.
Now we're going to talk about what are the security controls that we need to put on those endpoints in order to make them secure.
So let's talk about endpoint management systems and how we operate these things.
The typical practice we'll start with and then we'll move to the best practice.
Typical practice is, we've got this guy down here, he logs into a console which then manages the servers.
In a perfect world, we at least have all of the servers managed together.
In a lot of cases, that's not even the case.
Then we've got another administrator who logs into a different system to manage all the desktops and laptops.
Sometimes those are running different OSes and therefore different tools and things like that.
So another!
Then we've got another administrator over here who is using his mobile device management system
in order to to deal with the mobile phones, tablets, this kind of stuff.
And then when it comes to the IoT, well, most cases we've got nothing.
So there is nothing down here managing those at all, which is a whole other problem in and of itself.
But you can see what's happened here.
We've got multiple administrators managing different kinds of things.
And the good news is they at least are domain experts in those particular areas.
But it's not the most efficient way and it's not the simplest way.
And again, complexity is the enemy of security.
If I want to implement a single security policy across all of these,
maybe with a few tweaks in here and there, but you get the idea, I'd like to be able to do it from one console.
I could have logically one administrator who does this across all of these different platforms
so I can push down policies and patches that then go across the entire infrastructure
and then get up information and alerts about all of these different systems into the one console.
It's much more efficient.
I don't need necessarily all that much domain expertise because I have all of this in one system and I have the ability to control it all.
Visibility and control are keys to security.
If I can do both of those, then I have a fighting chance.
So this would be the best practice is to integrate all of those into a holistic
--the word I used in the previous section, *holistic* Endpoint security Management System.
Now I've talked about policies.
What might these policies be?
What are the things that I'm trying to enforce over here?
Let's take a look at what some of those controls might be.
So for one thing, I'd like the system to be able to query over here and tell me what are all the different systems that I have.
I may know about all of them.
I may not.
I'd like to be able to discover the ones I don't know and the ones that I do.
I'd like to know what's the hardware level, what's the software level on these?
In fact, a lot of organizations will have a particular security policy,
which is this next part which dictates what types of hardware and software we will allow in the organization in the IT systems.
For instance, one of the things I might say is for software levels, I'm going to allow the current release N and N minus one release.
In other words, the current release of whatever that accepted software package is and maybe one level back, but two levels back.
Now, you probably are missing a lot of security patches and we need you to have those on there.
So we're going to disconnect you from the sensitive data because now you've got a system that's too old for us to be able to secure it.
So that's a typical security policy that we might enforce.
Other things we might enforce would be password policies.
So I'm going to say on these devices, you need a password of a certain length, strength, expiry date, these kinds of things.
So it's a way of controlling that across a lot of different systems.
Patching I mentioned.
The systems are only as good as the latest software.
And if they've got old software again, from an operating system perspective,
it might be in minus one, but other things might be that we've just come out with a new patch on an application.
I need all of those patches applied because the likelihood is that there are security fixes in there
that if we don't apply those, the bad guys can take advantage.
Other things, an encryption policy.
I might want the any of these devices that can hold data, which is probably all of them to have some sort of encryption policy
so that I can make sure that if the device is lost or stolen, then nobody can get any information off of it
because all the data that's on it is encrypted. Remote wipe capability?
Again, in the case this mobile device maybe goes missing, someone loses it, it gets stolen, something like that,
it would be really great if I could automatically wipe all of the data that's on this device and maybe do the same thing on some of these others as well.
If I see that they have gone missing, I want to be able to blank all the data and do that remotely.
Location tracking.
In case I want to find one of these things, if it's gone.
Now, some organizations may choose to not turn that on because these may be personal devices that are getting used.
That's understandable.
But the capability exists, certainly for the corporate devices to be able to track where those locations could be.
Antivirus or endpoint detection and response.
That is to make sure that I don't have malware on these systems.
And then finally, what's my policy for disposing of these devices?
These things don't last forever.
The battery starts to die on this.
We need to upgrade one of someone's laptop or something like that.
How are we going to get rid of the device in a way that doesn't expose our information?
Our security controls should take into account all of these things as well.
Okay, now we've covered what are endpoints and what are the controls that we need for them.
Now, let's take a look at BYOD.
Well, what do I mean BYOD?
It's bring your own device.
But let me tell you, it's more complicated than that because a lot of people have figured out how to bring their own IT.
And some people are even bringing their own cloud.
So we've really got this whole collection of acronyms that we're having to kind of deal with.
And the endpoint is just part of this when it comes to these bring your own programs.
I'm going to tell you there's really two types of organizations out there.
There are the ones who have a well-defined program.
The ones who have a poorly defined program.
And then there's another group that claims that's not allowed.
So I'm going to tell you their program is actually an unsanctioned program.
It comes back and really maps to just being one of these.
So it's a poorly defined program.
In other words, there really is no third category.
Everybody is either a well-defined program when it comes to these things or a poorly defined program.
So what would it be if we were to have a well-defined program?
Because this obviously is not going to do our security needs.
If the security organization says "no", the end user will say "how" and they will do it this way.
Better if we define it in advance for them this way.
What are some of the elements that would go into this?
First of all, consent, especially if the person is bringing their own device that could have their own data.
It's their property.
So we need to make sure that they understand what are the rules.
What are the things that we're going to put on your system?
What are the things we're likely to do to your system with your system, that sort of thing.
So we've got to have consent from the end user who owns this thing.
And we're going to tell them, for instance, "Oh yeah, we're going to monitor certain of your usage or not.".
Your policy should state whether you're monitoring their usage or not and under what conditions you might do that.
We're going to look at how you're using your system.
We're going to look and see if you're using it.
It may be just the corporate things that you're doing and monitor only that.
And then we might also want to reserve the right to remotely wipe the device and remove all corporate data.
Now, we can do a selective wipe so that I remove only the corporate data and not all of the personal data.
So if this person has a mobile mobile phone and they've taken family photos on their vacation, that stuff doesn't go away.
But all the corporate data goes away.
If they report the device as lost or stolen or they leave the organization.
So I need that kind of capability.
I might also specify what levels of software are required.
As I mentioned in the previous section, the version, the current, the N, and the N minus one.
But I might also get down to certain applications and say there are certain applications that are required, certain things that must be on your system.
If it's a mobile device, there might be different kinds of things that would be required than if it was, say, a desktop device
where maybe I'm going to be requiring antivirus that I might not require on a mobile device.
There's other things that I might say.
There are some applications you should never have.
We don't want you having this on on your device and we're going to check for it and if we see it on there, we're going to report you or
we're going to remove our data from your system, because we believe these devices or these applications, I should say,
are going to make our data vulnerable or they're going to expose us to certain other types of threats.
Then from a hardware perspective, an organization may very well say, we're only going to support you bringing in your device,
but it has to be of a certain hardware configuration.
We can't support every single device that anyone might ever come up with.
So we're going to say "This is the type of desktop, laptop, mobile device that we're going to support.
We're going to support only those and not more.".
But we need to be able to specify what that is as well the services that you're going to use from these devices.
Cloud's a good example.
So I might use only authorized services.
If I want to do file sharing, then the organizations and say we have a cloud-based file sharing program and everyone needs to use that.
Don't use all of these others.
And we're going to monitor and make sure that that's what you're using, for instance.
So those are examples.
Again, it's best not to say no.
It's better to say how. And if I can say how on these kinds of things, I can guide the users to do the right thing.
Always remember if we make it easier to do the wrong thing than it is to do the right thing, the users are going to basically do the wrong thing.
So we want to make it easier and enable that.
Okay, we've talked about endpoint security and covered that.
In the next video, we're going to talk about network security.
In case you've missed any in the series, take a look here.
And if you want to make sure you don't miss any in the future, make sure to click, subscribe and notify so that you'll be notified when the next video comes out.