Three Pillars of Security

FutureRange Secure Desktop – The Three Pillars of Device Security

  • 1
    Encrypt

  • 2
    Manage

  • 3
    Zero Trust

COVID-19 has driven radical change in businesses.

Your offices are empty; your business is facing new challenges, and your employees have adapted to the new way of working. But how do you ensure your security is scaling, now that you have opened your network to a remote workforce?

IT Departments and business have implemented new technology in days and months that otherwise would have been planned out over months and years. Therefore, all the risks may not have been fully considered. Now that we are all working together whilst apart, we are introducing new risk, new networks that can potentially access our internal assets and potentially unknown or unmanaged devices.

Learn how FutureRange lock down our customers devices

When we discuss End Point Security, we believe in a zero-trust model. Where trust is never implicit, and
access is granted on a “need-to-know,” least-privileged basis defined by granular policies. To this end, Access Controls are more critical than ever, everyone knows about and agrees that 2FA is a given these days and that’s fine. But how do we know how secure the devices are that we let on your network?

Encryption

Let’s start with the basics if you are supplying devices that move around and are not under lock and the key, everyone knows that you should be using encryption, however, we are coming across customers in the organisation of all sizes that do not always adhere to this.

There are many ways to enable encryption simply, FutureRange supply BitDefender and Sophos to manage the BitLocker encryption keys.

Manage

For many years FutureRange has been managing enterprise Citrix Servers, locked down and managed to an inch of their lives, using tools like Citrix WEM, Res Workspace Manager etc. These tools are great, they allow real granularity in what we can permit the user to do and execute on the Virtual Desktop. Whilst both products, in theory, could run on endpoint devices, we could count on one hand customers that are using this type of setup on end-user devices, primarily due to cost and the complexity it adds to an environment.

Recently we have been rolling out ThreatLocker to achieve the same result on end-user devices. ThreatLocker provides Application Whitelisting which has long been considered the gold standard in protecting businesses from viruses, ransomware, and other malicious software. Unlike antivirus, Application Whitelisting puts you in control over what software, scripts, executables, and libraries can run on your endpoints and servers. This “default deny” approach not only stops malicious software, but it also stops any other unpermitted applications from running.

Controlling what software can run should be the first line of defence in protecting yourself from malicious software. Ringfencing then adds the second line of defence for applications that are permitted. First, by defining how applications can interact with each other, and then controlling what resources applications can access, such as network, files, and registry. Ringfencing is an invaluable tool in the fight against file-less malware and software exploits.

Full granular audit of every executable, script, or library executed on your endpoints

Default deny application whitelisting approach to deny anything not trusted by your business

Thirty seconds single click approval

Stop file-less malware and limit damage from application exploits

Define how applications can integrate with other applications

ThreatLocker automatically adds new hashes when application and system updates are released

When rolling out ThreatLocker we initially deploy the product in learning mode, which builds a picture on exactly what is happening on your endpoint devices. We then review the data with the IT Department or Security Manager and build a whitelist of permitted applications. Malware, for Malware protection we keep it simple, BitDefender has won numerous awards and just works. We also use BitDefender to manage the endpoints, locking down USB ports and enabling Internet filtering, if your endpoint devices are not going through a corporate proxy.

The final layer of protection we add is to prevent users from opening dangerous links or stop those
links getting to the user in the first place. For this, we use Censornet Email Security.

SDP & Contextual Access

Finally, we need to know who is connecting.

How does SDP work?

Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:

Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:

1

Trust is never implicit – Traditional network security offers excessive trust to its users; trust must be earned. SDPs only grant application access to users who are authenticated and specifically authorized to use that app; furthermore, these authorized users are only granted access to the application, not the network.

2

No inbound connections – Unlike a virtual private network (VPN), which listens for inbound connections, SDPs receive no inbound connections. By responding with outbound-only connections, both network and application infrastructure is kept invisible or cloaked to the internet and therefore impossible to attack.

3

Application segmentation, not network segmentation – In the past, organizations had to perform complex network segmentation to limit a user’s (or an infection’s) ability to move laterally once on the network. While this approach worked well enough, it was never granular and required constant maintenance. SDP has native application segmentation that can control access down to a one-to-one basis. The result is far more granular segmentation that is much easier for the IT team.

4

Leveraging the internet securely – With users everywhere and applications moving outside the data centre, organizations need to shift away from a network-centric focus. Security must shift to where your users are, and this means leveraging the internet as your new corporate network. SDP is focused on securing user-to-application connections over the internet rather than securing the users’ access to the network.

Contextual Access

Contextual access is all about adapting to ever-changing situations involving devices, locations, data sensitivity levels, threats and vulnerabilities that are risk-matched to desired business outcomes. A powerful way to design contextual access considers all aspects of the 5 W’s of Access – factoring who, what, when, where and why into every access and transactional event. Once access factors have been determined and vetted, access methods can focus on how access should be granted.

Direct access to resources, virtualized access that keeps sensitive data centralized and containerized, and access that securely enclaves sensitive data for offline access, sharing and distribution.

Application-specific networking encrypts data in transit and transparently extends enterprise network visibility and control to the mobile, cloud and the network edge.

The ability to allow or restrict clipboard functionality, define specific usage of peripherals, enforce location-aware behaviours, enforce storage directives and directing the ability to distribute sensitive data are just some of the access methods under contextual control.

The ability to allow or restrict clipboard functionality, define specific usage of peripherals, enforce location-aware behaviours, enforce storage directives and directing the ability to distribute sensitive data are just some of the access methods under contextual control.

With automated access controls constantly evaluated and applied dynamically at the point of service, security decisions are consistently applied across all the different ways we work.

FutureRange achieves SDP & Contextual access for our customers with a mixture of products.

Contextual access is all about adapting to ever-changing situations involving devices, locations, data sensitivity levels, threats and vulnerabilities that are risk-matched to desired business outcomes. A powerful way to design contextual access considers all aspects of the 5 W’s of Access – factoring who, what, when, where and why into every access and transactional event. Once access factors have been determined and vetted, access methods can focus on how access should be granted.

FutureWorkSpace is our unique, subscription based managed service, born in the cloud.

Get started
Learn more about Future Range.