This article is part of an Essential Guide, our editor-selected collection of our best articles, videos and other content on this topic. Explore more in this guide:
3. - Don't get left behind as mobile security management evolves past the desktop: Read more in this section
- Enterprise desktop management must respond to mobile device security
- Service providers require security scrutiny with Desktop as a Service
- Some Windows devices get protection from trusted platform module chip
- Lock down endpoints with these Group Policy tricks
- Your endpoint security tools might not be sufficient
- Control consumerization, not at the endpoint, but by securing data
Explore other sections in this guide:
- 1. - Getting started with an endpoint and mobile security strategy
- 2. - Tools for mobile devices proliferate as vendor shakeups continue
Many people believe that every network device and endpoint should be responsible for its own security. As a result, desktop security is often set up in layers, so that if malicious software manages to get through one point, there's another point of protection.
While this is a popular method -- and it deserves your attention -- I contend that endpoint security is worthless for virulent malware (the kind you buy endpoint security products to protect against). If you haven't stopped malignant code at your perimeter, then you've already lost the battle, and your efforts ought to be toward cleanup and getting back to a known-good environment.
Endpoint security agents are just another thing to manage on top of other software packages that require planning, deployment, maintenance, tracking, relicensing, upgrading and removal. You need to learn how to use security software because a misconfigured product is not only worthless; it's also negligent behavior and an invitation to attack. It's also another expense for your company. In today's era of tightened budgets, you're probably under pressure to make IT look a little more like a profit center and a little less like a cost center.
In addition, have you ever heard the old saying, "An ounce of prevention is worth a pound of cure?"
There are many reasons why it's better to stop malware of any kind from getting into your network than relying on desktop programs to stop it. Internally, firewalls have as many holes as Swiss cheese. For instance, ports are opened to access old versions of QuickBooks, and users need Remote Desktop Protocol to access lab machines from their desktops. These firewalls are meant as a last line of defense -- and they're not even great at that.
Furthermore, human error can cause disastrous results. Regardless of how many times (and how many ways) you tell someone not to open email attachments from unknown second party, the very second they see a cute puppy face, they're double-clicking even if Hosni Mubarak sent it to them. (No, they're probably not old friends.)
Think of the human body -- you'd rather keep out harmful foreign substances completely than fight them internally. Your network should operate similarly. Individual desktops shouldn't have to stave off potentially life-threatening infections to your network.
Edge protection is where you should be defending your network. Spend your efforts and money making sure the malware never gets into your network in the first place.
ABOUT THE AUTHOR
Jonathan Hassell is an author, consultant and speaker residing in Charlotte, N.C. His books include RADIUS, Hardening Windows and, most recently, Windows Vista: Beyond the Manual.