Getty Images/iStockphoto
Best practices for endpoint security in the cloud
As the proliferation of cloud services continues, IT teams should revisit -- and potentially revamp -- their endpoint protection strategies.
An endpoint security strategy is critical in any enterprise IT environment. For organizations with cloud deployments, however, those strategies can be especially complex.
Admins, for example, must consider the nuances of endpoint security in different cloud computing models, such as private, public, hybrid and multi-cloud. What's more, due to an increase in remote work, the number of endpoint devices that connect to cloud resources has grown significantly. Security teams must account for a large and broad array of end-user devices as part of their IT protection strategy.
Fortunately, industry best practices and tools continue to evolve to specifically address endpoint security in the cloud.
How the cloud changed endpoint protection
From a security standpoint, endpoint devices have been worrisome since computer viruses were passed around on floppy disks.
Antivirus software was the first type of endpoint protection. Security professionals discovered they could protect endpoints at the network perimeter via local antivirus software. Over time, this evolved into more modern endpoint protection platforms (EPPs) that support antivirus, firewall and encryption capabilities on each PC.
IT vendors then developed more sophisticated endpoint detection and response (EDR) platforms, such as Sophos Intercept X, SentinelOne Endpoint Protection Platform and CrowdSec. These platforms extend EPPs with tools for behavioral analytics, anomaly detection and streamlined updates.
With these endpoint protection tools, IT admins could properly manage the security perimeter. Even when employees would connect to IT resources from home, they typically did so on a managed corporate laptop via a secured VPN.
The cloud has changed the endpoint protection market in two key ways. First, it provides a staging ground for new endpoint protection offerings. And, second, it expands the security perimeter from the enterprise boundary to all devices connected to the cloud.
Traditionally, security teams concentrated their efforts on the outer shell of their environment and strictly regulated the traffic flow from external parties to internal resources; security and hardening practices for internal endpoints were a lower priority.
"This model has been turned on its head, given the nature of public cloud computing," said Bryan Harper, manager of Schellman & Co., an independent security and privacy compliance assessor.
With the public cloud, admins should approach endpoint security under the assumption that all endpoint devices could be accessible to external parties, Harper said.
It's also important to consider how cloud services potentially increase the attack vector. As the cloud becomes an extension of corporate infrastructure, there are additional avenues to enterprise resources from a greater number and variety of endpoint devices, said Terumi Laskowsky, cybersecurity instructor for DevelopIntelligence, a Pluralsight company and technology training service provider.
Form a cloud endpoint protection strategy
The first step to address these challenges and to ensure endpoint security in the cloud is to take an inventory of devices. "If you don't know what you have, it is impossible to secure those endpoints," Harper said.
A cloud endpoint protection strategy should identify all endpoints that connect to corporate resources. PCs, smartphones and tablets are generally in this group, and they must be controllable via an endpoint security corporate policy.
In addition, consider IoT devices, such as security cameras and network-connected printers, as these can also pose a risk, Laskowsky said. Have a clear understanding of which teams are responsible for the security of certain devices. For instance, the facilities team may be responsible for cameras, while the networking team is responsible for printers. Without such information, Laskowsky said, teams can overlook certain devices in an endpoint protection strategy because they assume a different department is responsible. Organizations should enforce a holistic and consistent security approach for all endpoint devices.
To help with endpoint protection, organizations can do the following:
- Implement encryption and enhance access controls through the use of strong passwords and multifactor authentication.
- Use a VPN for another layer of protection.
- Harden endpoints using industry best practices for the specific endpoint type.
- Scan endpoints continuously, and ensure systems can analyze and respond to anomalous behavior.
- Perform patching regularly.
Admins can address endpoint security in the cloud from two perspectives, Laskowsky said. First, they can protect the endpoint devices themselves from attacks. Second, they can protect the corporate resources from the devices, in cases where the devices are the attackers. The latter could occur when a rogue employee or malicious actor compromises a machine. Companies must adopt strategies that protect both the devices and the enterprise resources those devices access through the cloud or VPNs.
IT teams should craft security policies and standards to address the most common use cases for different types of devices, said Vikram Kunchala, principal and cyber cloud leader for Deloitte Risk & Financial Advisory. Consider the various workflows and interaction patterns of new endpoints that access cloud resources.
Public, private and hybrid security differences
Each cloud infrastructure model comes with its own security perimeter. Laskowsky argued that private cloud is most secure because of its single-tenant nature; only one enterprise uses the infrastructure. In contrast, multiple companies share public cloud infrastructure, making it easier for hackers to identify and target any weak endpoints connected to it.
Hybrid cloud models may be the riskiest due to the complex connections between private and public cloud resources. The same issue applies to multi-cloud deployments, where organizations use and connect cloud services from multiple providers, Laskowsky said. In these cases, organizations must protect endpoints that connect across different types of cloud infrastructure.
Tools and services to secure cloud endpoints
Various categories of tools protect endpoints connected to cloud resources. To start, use data loss prevention tools, such as Broadcom Symantec DLP, Forcepoint DLP and Digital Guardian DLP, to safeguard cloud resources and EDR tools to protect connected endpoints, Laskowsky said.
Organizations can implement and manage these tools internally. Some organizations use the Security as a Service model, in which a cloud service vendor provides security monitoring and response. Examples of these offerings include Oracle Cloud Access Security Broker, Okta Identity as a Service and Qualys CyberSecurity Asset Management. However, the enterprise, not its cloud provider, is ultimately responsible for endpoint protection, Laskowsky said.
Deloitte's Kunchala recommended organizations consider unified endpoint management tools, which have evolved to replace legacy endpoint management tools.
Cloud workload protection tools, such as Trend Micro Deep Security and VMware Carbon Black App Control, have also emerged to secure virtual endpoints that run in the cloud. In addition, managed EDR services, including Deepwatch and Broadcom Symantec offerings, can provide 24/7 response capability for incidents detected on endpoints.