makspogonii - Fotolia
When it comes to enterprise security and endpoint management, securing devices might not be a desktop admin's first priority.
At least that's what some IT professionals believe when it comes to keeping sensitive data safe. They say you should think of data, the network and applications before worrying about desktop security, but strong policies and employee education are still important.
Keeping corporate data totally safe seems to be an unattainable goal, as long as sophisticated hackers and thieves abound. In addition, end users who simply want to do their jobs may inadvertently cause security breaches by taking data offsite via mobile devices.
Keeping this in mind, IT administrators who institute best practices in their organizations can go a long way toward protecting corporate secrets -- and their careers.
There's no shortage of methods for ensuring that data and endpoint devices stay safe, including emerging multifactor authentication methods, antimalware tools, data encryption on email and mobile management suites that include secure access features.
But security leaks continue at all levels, not just from desktops, laptops, smartphones and tablets. In fact, incidents such as the Heartbleed vulnerability could have exposed sensitive data traveling through the Internet.
Prioritize the data
Industry experts say organizations need to shift their thinking. "What you're protecting is the data, not the endpoint," said Chris Hertz, a systems integrator at New Signature in Washington, D.C. "The endpoint is the mechanism for the data."
Experts such as Hertz recommend that IT pros understand who owns the data. The best way to do this is to classify confidential or regulated data and then develop security policies around it. "If you don't have a data classification and inventory [of data], it's hard to decide how to do protection," said Hertz.
Classifying the data is a job for a company's business units. They need to set security policies, including for how long an organization should keep relevant data. If business units don't have a hand in deciding what information should be kept and what shouldn't, IT could be wasting time and money by protecting irrelevant data.
"IT does the governance," said Hertz. "At the end of the day, security is about building the data classification model and understanding which users and devices have access to the data. Your policies are data-driven."
Some IT pros have been preaching for years about the need to secure corporate data before addressing endpoint management, but that doesn't mean the message is being received.
"Some people are listening," said Brian Katz, director of mobile innovation at a large pharmaceutical company based in New Jersey. "Security is listening somewhat, but there is legacy thinking that it's nice to secure the device and then the data. But if I secure the data, I'm mostly there."
Don't forget the network
As data is classified, IT admins can also determine the best ways to handle security for the network, applications and finally desktops.
"We're doing this from the network side up," said an IT professional at a West Coast community college who asked not to be named. He described his environment as one in which students and faculty members are on isolated segments of the network. There is a virtual break between where and what the users can access on the network and where sensitive back-end internals reside, he explained.
Beyond a secure network, an organization needs a method for encrypting sensitive data such as Social Security numbers, PINs and medical records. "You need to lock a system down for encryption," the college IT staffer said. "Or you need to set standards so certain data doesn't go outside the house. That's hard if you're not in a locked-down defense environment."
Mobility affects data security
The explosive growth in mobile devices and the emergence of the cloud have not made things any easier for IT administrators.
"What it does, it forces IT to address the issue that's already there," said Katz. "[Admins] can no longer say, 'Just lock down the device.'"
"When I start going to a laptop, phone or tablet, I may not be at the same location. It may not be as secure. ... It's one of the reasons why the network is so important," said Katz, who added that geolocation capabilities require policies that follow the data around.
Define security policies sooner rather than later
Many IT experts agree that following best practices for corporate data security is key to ensuring that an organization's data and endpoints remain safe. IT should first work with the business units to determine who is responsible for the data and develop criteria for data that must be retained.
"Part of the realization is that it's almost impossible to protect anything perfectly," said Katz. Admins must find a balance between providing workers access to their data anytime, anywhere and maintaining data and desktop security.
Finally, communication about data security throughout an organization is just as important as data classification, industry or government regulations, and corporate policies. IT must explain to users the constant threats posed by hackers, such as "spear phishing."
You need ongoing communication, said the community college IT admin. Education about data and endpoint security should be included in employee training.
There's more to managing endpoints than just the desktop
Ask these questions when girding endpoints for malware
How to lock down enterprise desktops with Group Policy settings
Admins should learn six lessons from point-of-sale breaches
SLA should ensure that desktop outsourcing protects security
Endpoint management reflects the evolving workplace
App sandboxing is a proactive approach to desktop security
Devices won't matter in the future of mobility management