Three Pillars of Security
FutureRange Secure Desktop – The Three Pillars of Device Security
-
1
Encrypt
-
2
Manage
-
3
Zero Trust
COVID-19 has driven radical change in businesses.
Your offices are empty; your business is facing new challenges, and your employees have adapted to the new way of working. But how do you ensure your security is scaling, now that you have opened your network to a remote workforce?
IT Departments and business have implemented new technology in days and months that otherwise would have been planned out over months and years. Therefore, all the risks may not have been fully considered. Now that we are all working together whilst apart, we are introducing new risk, new networks that can potentially access our internal assets and potentially unknown or unmanaged devices.
Learn how FutureRange lock down our customers devices
When we discuss End Point Security, we believe in a zero-trust model. Where trust is never implicit, and
access is granted on a “need-to-know,” least-privileged basis defined by granular policies. To this end, Access Controls are more critical than ever, everyone knows about and agrees that 2FA is a given these days and that’s fine. But how do we know how secure the devices are that we let on your network?
Encryption
Let’s start with the basics if you are supplying devices that move around and are not under lock and the key, everyone knows that you should be using encryption, however, we are coming across customers in the organisation of all sizes that do not always adhere to this.
There are many ways to enable encryption simply, FutureRange supply BitDefender and Sophos to manage the BitLocker encryption keys.

Manage
For many years FutureRange has been managing enterprise Citrix Servers, locked down and managed to an inch of their lives, using tools like Citrix WEM, Res Workspace Manager etc. These tools are great, they allow real granularity in what we can permit the user to do and execute on the Virtual Desktop. Whilst both products, in theory, could run on endpoint devices, we could count on one hand customers that are using this type of setup on end-user devices, primarily due to cost and the complexity it adds to an environment.
Recently we have been rolling out ThreatLocker to achieve the same result on end-user devices. ThreatLocker provides Application Whitelisting which has long been considered the gold standard in protecting businesses from viruses, ransomware, and other malicious software. Unlike antivirus, Application Whitelisting puts you in control over what software, scripts, executables, and libraries can run on your endpoints and servers. This “default deny” approach not only stops malicious software, but it also stops any other unpermitted applications from running.
Controlling what software can run should be the first line of defence in protecting yourself from malicious software. Ringfencing then adds the second line of defence for applications that are permitted. First, by defining how applications can interact with each other, and then controlling what resources applications can access, such as network, files, and registry. Ringfencing is an invaluable tool in the fight against file-less malware and software exploits.
When rolling out ThreatLocker we initially deploy the product in learning mode, which builds a picture on exactly what is happening on your endpoint devices. We then review the data with the IT Department or Security Manager and build a whitelist of permitted applications. Malware, for Malware protection we keep it simple, BitDefender has won numerous awards and just works. We also use BitDefender to manage the endpoints, locking down USB ports and enabling Internet filtering, if your endpoint devices are not going through a corporate proxy.
The final layer of protection we add is to prevent users from opening dangerous links or stop those
links getting to the user in the first place. For this, we use Censornet Email Security.
SDP & Contextual Access
Finally, we need to know who is connecting.
How does SDP work?
Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:
Rather than focusing on traditional, network-based security, SDP takes a different approach. Instead of focusing on securing the network, SDP focuses on securing the user, the application, and the connectivity in-between. There are four core principles that differentiate SDP technologies:
1
Trust is never implicit – Traditional network security offers excessive trust to its users; trust must be earned. SDPs only grant application access to users who are authenticated and specifically authorized to use that app; furthermore, these authorized users are only granted access to the application, not the network.
2
No inbound connections – Unlike a virtual private network (VPN), which listens for inbound connections, SDPs receive no inbound connections. By responding with outbound-only connections, both network and application infrastructure is kept invisible or cloaked to the internet and therefore impossible to attack.
3
Application segmentation, not network segmentation – In the past, organizations had to perform complex network segmentation to limit a user’s (or an infection’s) ability to move laterally once on the network. While this approach worked well enough, it was never granular and required constant maintenance. SDP has native application segmentation that can control access down to a one-to-one basis. The result is far more granular segmentation that is much easier for the IT team.
4
Leveraging the internet securely – With users everywhere and applications moving outside the data centre, organizations need to shift away from a network-centric focus. Security must shift to where your users are, and this means leveraging the internet as your new corporate network. SDP is focused on securing user-to-application connections over the internet rather than securing the users’ access to the network.
Contextual Access
Contextual access is all about adapting to ever-changing situations involving devices, locations, data sensitivity levels, threats and vulnerabilities that are risk-matched to desired business outcomes. A powerful way to design contextual access considers all aspects of the 5 W’s of Access – factoring who, what, when, where and why into every access and transactional event. Once access factors have been determined and vetted, access methods can focus on how access should be granted.
Contextual access is all about adapting to ever-changing situations involving devices, locations, data sensitivity levels, threats and vulnerabilities that are risk-matched to desired business outcomes. A powerful way to design contextual access considers all aspects of the 5 W’s of Access – factoring who, what, when, where and why into every access and transactional event. Once access factors have been determined and vetted, access methods can focus on how access should be granted.