Focusing on Endpoints Distracts from Effective Security

Originally published by CXO Revolutionaries.

Written by Gary Parker, Field CTO - AMS, Zscaler.

Endpoint security is a pivotal aspect of cybersecurity, but should it be a primary focus for CISOs? During the early days of networking (and through the early 2010s), focusing security efforts on endpoints made sense. Businesses running private networks and data centers kept their infrastructure largely on-premises. Connections to the outside world were few and relatively manageable.

During this era, an organization’s attack surface was the sum of the physical devices connected to its internal network (aka endpoints). If a company could protect its PCs, servers, routers, and other managed devices, then it would be considered relatively secure. Of course, keeping the business infrastructure updated was no small task. Organizations often implemented a centralized client/server model to ensure workstations received the latest software and security updates. Admin servers managed client software updates, configurations, and gathered endpoint telemetry data. Client software would detect and block malicious activity on the endpoint.

This system of security coverage worked reasonably well, but had some major problems. For example, an endpoint physically removed from the network (e.g., a workstation laptop taken on vacation) quickly fell out of compliance. Activity occurring on the traveling endpoint remained completely invisible to business infrastructure until it rejoined the domain. During these security blind spots, endpoints become vulnerable by missing updates, or worse, could be compromised by threats.

Modern endpoint solutions may solve this problem by having remote endpoints connect to the admin server via VPN or over the internet. Yet, this reveals a serious problem with endpoint-focused security. The network architecture used by remote endpoints to reach their organization is not managed by the company’s IT department. An entire chain of unknown endpoints facilitates the remote business connection. How are these third-party endpoints secured? How trustworthy is the network carrying the organization’s sensitive data from a remote location?

No one really knows.

By relying on outside infrastructure to transmit sensitive data, the attack surface has not only grown but expanded beyond the reach of the CISO.

These types of security issues were magnified during the pandemic. Workers sent to home offices often took the sensitive company data necessary for their jobs. This data traveled over non-secure (home) networks, and may have been stored on unmanaged devices, including smartphones, tablets, or removable storage. Unfortunately, many organizations focusing on endpoint-based security were overwhelmed by the number and variety of devices used by remote workers. The IT team needed help to scale the antiquated server/client endpoint model to keep pace with the security demands of a hybrid workplace.

Refocusing on the attack surface

Many security professionals realized trying to secure an ever-expanding number of personal and business devices was a losing strategy. Outside networks handling sensitive business communications represent endpoints beyond an organization’s reach. Unmanaged employee devices accessing emails and work documents posed another problem for endpoint-based security. A business attempting to manage and secure every device that touches its organization will exhaust itself long before reaching its goal. Simply put, the modern attack surface cannot be vanquished on the endpoint level.

Fortunately, there is an alternative to the endpoint protection model that significantly reduces the attack surface. Embracing the alternative requires CISOs to abandon endpoint-centric thinking and consider the problem of protecting the organization’s “crown jewels.”

If the security endpoints cannot be guaranteed, how can business assets be protected?

Removing vital business resources and data from endpoints is an essential first step. This can be achieved by migrating apps and files to the cloud. Endpoint-local applications should be replaced by software-as-a-service (SaaS), and business files should be restricted to cloud storage. If the company has proprietary software that cannot be moved to the cloud, it should limit the total number of endpoints using these apps. A workstation with no sensitive data or locally executable applications presents an extremely limited danger to a company.

Likewise, migrating sensitive data and productivity apps to the cloud limits the number of ways a significant security breach can occur (reduces attack surface). A CISO’s team will have an easier time monitoring and protecting cloud connections than trying to secure hundreds or thousands of individual endpoints. In other words, undergoing cloud migration shifts the attack surface from countless endpoints and networks to a few manageable cloud services and destinations. Providing security is no longer an impossible task, but one achievable by ensuring secure communications between trusted initiators and cloud-based business resources.

Who is a trusted initiator?

Identity access management (IAM) plays a significant role in determining whether a connection should be created between an initiator and a company resource. During an IAM evaluation, the security of the requestor’s device may be one factor in determining trust, but it is not the only consideration. Other contextual information, such as the time of the request, the resource being requested, and the requestor’s role may play a factor as well.

Once a system for establishing trusted connections is in place, many issues plaguing endpoint security are solved. Strong identity management opens the door to better, more granular, and secure access options. It is a springboard for scaling up to context-based cloud access. For example, from IAM, an organization can move toward implementing a zero trust architecture. This allows for strong context-based access options, such as devices without a healthy security posture or updated software having their access denied. With better environmental visibility, data arriving from or going to suspicious destinations can be ignored.

Advanced cloud platforms can provide options beyond simply pass/fail access. For example, unmanaged or non-compliant devices are allowed access to certain files, but denied others. Some devices may be authorized to receive files, while others are simply streamed pixels displaying file contents. Most importantly, once the initiator identity and destination are known, organizations can begin authenticating users directly to apps rather than to the network. If an organization can employ app-based or user-based segmentation, network security problems like lateral threat movement are no longer an issue.

With cloud-based security platforms, initiators may represent more than users trying to access business resources. They may represent connection requests from applications or other cloud workloads as well. This versatility allows cloud platforms to govern non-human interactions in the business enterprise with the same level of adaptable policy enforcement. Once a business migrates its resources to the cloud and adopts IAM, it has taken its first step toward adopting an effective zero trust framework.

Wrap up

The purpose of this article is not to play down endpoint security, which plays a significant role in the cybersecurity ecosystem. Keeping organizational endpoints secure is a key factor in maintaining a robust security posture. Rather, the point is to demonstrate that business resources and sensitive data are routinely exposed to endpoints beyond the reach of a company’s CISO. Given this reality, basing a strategy on securing every endpoint is simply not feasible.

However, removing vital business data and resources from endpoints and putting them in the cloud is quite doable. Once the “crown jewels” of a business are in a centralized location, it becomes considerably easier to protect them from unauthorized access. This allows security teams to shift their attention from micromanaging endpoints to providing secure connectivity between trusted initiators and authorized resources.

There are many other ways an organization can improve its security posture by focusing on the attack surface, rather than obsessing over endpoints. For a comprehensive guide on practical next steps, consider downloading a copy of Seven Elements of Highly Successful Zero Trust Architecture.