The corporate cloud is accessed by endpoints in a variety of environments – from within the corporate physical environment (managed devices), employees accessing remotely (such as from home or a café or hotel), and from customer and supplier environments:
Many organizations have taken considerable measures to protect data in the cloud as well as data in transmission between the endpoint and the cloud. In addition, endpoints within the enterprise – managed endpoints – organizations have full control and measures are implemented to secure these devices. So too are managed corporate laptops used for remote access. However beyond this are unmanaged endpoints used by employees, suppliers and customers – this is where the greatest vulnerabilities lie. The security posture of these unmanaged devices is below that of the organization’s managed devices. It is essential that all endpoints are secure, and that data entered into all endpoints are secure, for the overall corporate cloud ecosystem to be deemed secure.
Most practitioners acknowledge that anti-virus is insufficient to fully secure an unmanaged device. Too many threats evade anti-virus techniques. Also, it is often too expensive and impractical to purchase laptops for all employees / customers / suppliers who may access the enterprise network remotely.
One way in which the organization can ensure a common security posture for all endpoints accessing the corporate network is through protected applications. It is not necessary for the complete endpoint to be managed, only the specific applications which interact with data going to the corporate cloud need to be properly secured. Protecting applications includes wrapping or securing applications such as the browser; Office 365; SaaS application access; enterprise applications such as accounting applications, personnel applications, CRM applications, SAP or Oracle; remote access applications such as Citrix, VMware, RDP. Securing data entered into these applications would in effect ensure unmanaged devices outside the organization could be as secure (and in some case more secure) than managed corporate devices. These applications can be secured through a software download – far more cost effective and more appropriate than purchasing a corporate laptop for all remote employees, customers and suppliers.
Protected endpoint applications can in some instances provide greater security than corporate managed devices and some organizations protect applications within the organization as well to ensure common security posture for all endpoints accessing the corporate network.
To bring employee remote access endpoints, customer and supplier endpoints up to the security posture of a corporate managed endpoint requires protecting applications against endpoint threats such as keylogging, screen capturing and screen grabbing, man-in-the-browser, saved account detail harvesting, screen mirroring, man-in-the-middle, DLL injection, and RDP double-hop attacks. Plugging these gaps is vital in achieving a secure corporate cloud ecosystem.
Achieving a common security posture across all endpoints accessing the corporate network has many benefits, including:
- Sensitive data entered at the endpoint is protected against the cloud ecosystem’s greatest threats
- All endpoints touching the network from inside and outside the organization, meet required security standards
- Ensuring compliance in situations where more and more compliance attention is directed toward endpoint security
- New potential threats can be assessed (or tested) against the known common security posture
- Protection against sensitive data being stolen right from the user keypress as it is entered at the endpoint, before the data is encrypted, before data transmission, and before the data gets to the cloud