Endpoints are often the weakest links in any IT system, but protecting them effectively now means much more than simply guarding against malware.
As businesses rely more on the cloud and on web-based applications, the endpoint provides a gateway that can be vulnerable to attack.
Data security specialist Becrypt is taking an innovative approach with the use of a secure operating system to verify the integrity of devices. We spoke to Bernard Parsons, CEO of the company, to find out more.
BN: What are the key areas that protection is now focusing on, is it mainly encryption?
BP: Part of it is encryption but part of it is maintaining and improving the integrity of end use devices. At the start you have to assume that a device is in a good state, what we need to do is ensure that organizations can retain the confidence that a device will remain good. This means no malware has been able to compromise the device and remain resident on it.
One of the big challenges organizations have at the moment is that nobody is immune to compromise. But still companies have to spend to continuously monitor their systems, if there is an intrusion they need to know what it is, what the impact is and how to recover. This can be an expensive exercise from a resource perspective.
BN: How does your technology address this?
BP: We're focused on secure operating systems, so we're not just adding security components to existing platforms, we're creating secure platforms from the ground up. Target customers are typically those for which existing systems don't meet their requirement from a security perspective. We have our own lightweight OS called Paradox that's meeting a number of use cases, predominantly around businesses moving to cloud. We provide a locked-down user platform for accessing cloud-based services and web apps, removing the possibility that anything on the endpoint could be compromising the environment.
Paradox uses the hardware functionality that's present in many computing platforms these days to ensure that when a system is running, cryptographic checks are carried out on all of the components that are executing on it. It can therefore verify to the server delivering cloud apps that the device remains in a good state. It still uses encryption but it's about ensuring you have strength in depth and ensuring if there is an intrusion you can detect it very rapidly and take appropriate action.
BN: Is there a behavioral angle as well, such as were users can connect from?
BP: Yes, you can extend the security to include additional factors. So you can have a more granular set of decisions in terms of what you're going to allow individuals to have access to. Ideally you want users to be connecting from a device that you trust. For some organizations there may be different levels of sensitivity, so it may be fine to allow less sensitive material to be accessed from devices that can’t be trusted to the same extent.
You can also add things like hardware-based verification of the identity of users, location based factors and so on. It depends how you want to build your data protection policy.
BN: Are there differences in enterprise priorities based on geographical location?
BP: Yes, although the differences are more to do with market segments. In the US for example certain sectors, like healthcare, have very specific regulation aimed at protecting data. It can be a time consuming and costly exercise to ensure that you’re validating to the correct extent right down the supply chain.
What's central is where businesses need a mechanism for maintaining a high degree of integrity in a user device. So other parts of the supply chain, contractors for example, will also need to be using devices that are appropriate for the sensitivity of the data. Many of the high profile breaches that we hear about have at some point involved a supply chain attack. Platforms like Paradox allow you to push something out into the supply chain so you can be sure it isn’t a weak link.
BN: So is this going to become more important as GDPR comes into force?
BP: Absolutely, it does allow compliance to be simplified, particularly if organizations are stretched in terms of the resources needed to secure systems and manage architectures. Paradox has within it a whole range of security controls that can be mandated for end users, so it becomes easy to apply those controls to protect personal data.
BN: Is technology only part of the picture? Do we need to address the human angle too?
BP: User education is key, CYBERUK, the UK government cyber conference in March this year, highlighted that the traditional view needs to be stood on its head. The user needs to be considered the strongest link -- whereas traditionally they've been considered the weakest.
IT systems are built by techies and they often see users as a problem in terms of how they’re circumventing controls that are put in place. But people are in place to perform a particular task and are very good at doing that. This often involves quite complex reaction with technology in terms of navigating the validation and other mechanisms in front of them. In terms of designing systems it's important to recognize the human factor and build systems appropriately so as not to force users into unworkable situations.
Some of our technology has been designed with government departments. They have made it very clear that while there’s a huge amount of sensitivity around the data, usability and user satisfaction were not second class requirements. If the system didn’t deliver usability and prioritize the human factors then they were quite clear that it was not appropriate. This is a very different position to just five or six years ago where security products were almost designed in isolation. Now the industry is on a journey that is placing the user more centrally.
BN: So the other side of that is that the more complex it is the more users will try to circumvent it?
BP: There are limits to what technology can do on its own, but if we think about humans being ideal or technology being ideal, then we're not doing a good job. For problems like phishing for example there isn’t a perfect solution, however much you train your users there is still a percentage that will click the email, so you have to build your infrastructure to recognize that will happen.