April 01, 2010, 9:12 PM — Users say protecting network endpoints is becoming more difficult as the type of endpoint devices -- desktops, laptops, smartphones -- grows, making security a complex moving target.
The problem is compounded by the range of what groups within corporations do on these devices, which translates into different levels of protection for classes of users on myriad devices.
Deciding the appropriate device defense becomes the No. 1 job of endpoint security specialists, says Jennifer Jabbush, CISO of Carolina Advanced Digital consultancy. Depending on the device and the user's role, endpoints need to be locked down to a greater or lesser degree.
For instance, Wyoming Medical Center in Casper, Wyo., has four classifications of PCs -- open PCs in hallways for staff use; PCs at nursing stations; PCs in offices; and PCs on wheels that move between patient rooms and handle very specific, limited applications, says Rob Pettigrew, manager of technical systems and help desk for the center.
Pettigrew is deploying Novell ZenWorks to 850 of the center's 900 PCs in order to make sure each class has the right software. With 110 applications and 40 major medical software systems to contend with, that makes a huge matrix of machine types and restrictions to contend with, he says.
In addition, physicians in affiliated clinics can access via SSL VPN, but they are limited to reaching Web servers in a physician's portal that is protected from the hospital data network. Some Citrix thin-clients are also used to protect data from leaving the network, but overall the strategy for unmanaged machines is a work in progress, Pettigrew says. "We're hoping to get more help desk," to deal with the external physicians, he says.
One concern that can be addressed by endpoint security is data privacy, which is paramount for the Los Angeles County Department of Health Services in California, says Don Zimmer, information security officer for the department. He supports about 18,000 desktops and laptops and operates under the restrictions of Health Insurance Portability and Accountability Act regulations. That means disk encryption, he says.
"If it's not encrypted and there is a breach, then we have to start calling people," he says. To avoid violating patients' privacy and a loss of public trust the department encrypts the drives of all the PC endpoints with software from PointSec.