In today’s world of constant and escalating threats, with breaches becoming a commonplace occurrence, PCs are a constant headache for security teams when it comes to securing IT infrastructure. Whether they are running Windows, MacOS or Linux, users inevitably change PCs to suit their needs, adding applications and storing local data as well as accessing unsafe web sites and receiving and clicking on phishing emails. The net result means that the security status of any given PC is always unique and unpredictable. A device may be compromised, or compromisable, at any level from the registry, through to the operating system to the web browser and other applications.
Of course, there are certain precautions that can, and should, be taken to reduce these risks. These include limiting access to admin rights, running anti-virus, filtering incoming content and the black- and/or white-listing of applications. However, what if a PC’s registry operating system and browser could always be guaranteed to be in a known secure and healthy state every time it was booted? Being able to do this makes sense as PCs are increasingly used as cloud gateways to support flexible and mobile working; all that matters when a user starts up a virtual cloud-based desktop is that the supported infrastructure on the access device is safe. Such a capability also suits other high-risk use cases where PCs are regularly shared between ad hoc users or where third-party access is required for managing remote infrastructure.
But why are PCs such a potential weak point in the IT infrastructure?
One key reason is the magnitude and complexity of software that sits on a typical endpoint such as a desktop. If you think about a full-blown operating system and all the applications and browsers that get loaded and executed on these devices, inevitably there will be vulnerabilities. As an industry we have got much better at publishing and automating the publication of vulnerabilities and subsequently providing patches. That said, the degree of complexity has inevitably meant that organisations struggle to ensure that they have patch regimes in place that can patch the entirety of their device in a robust way and this leaves a window of opportunity for bad actors to exploit.
The other point here is that PCs are typically how the user interfaces with an organisation’s IT infrastructure, but users are a weak point and unfortunately that won’t change. However much we train our employees to understand the threat dangers, such as phishing emails, unfortunately that risk is not going to go away, and today emails continue to be one of the main attack vectors for organisations.
As a result endpoints continue to rank highly as a target. As more computing moves to the cloud, why do physical PCs persist? So why not move all your users over to thin clients?
The answer is that, for many user communities within organisation, they need more functionality than a thin client can give them and that might mean extensive use of offline applications or the need to run applications natively on the device rather than accessing them via an online set up. However, that said, because of the increased cloud options there are an increasing number of communities within organisations that don’t need a full-blown PC and therefore all the costs and risk associated with managing them. As a result there is an opportunity as organisations move to cloud and online services to optimise end user devices that are accessing these services from a security and cost perspective by not deploying full-blown operating systems. Traditional thin clients are also vulnerable to exploits: even a thin client or a zero client has software running that can be exploited. And the downside of traditional thin clients is that the organisation will typically have less security tools to monitor and detect that they have been compromised.
Therefore a combination of the required need for flexible working and also legacy devices means that the PC is not going to disappear anytime soon.
To overcome some of the challenges highlighted above, here at Becrypt we have developed a secure Linux based operating system called Paradox. The origins of the product came out of some work we did with the National Cyber Security Centre (NCSC) whereby we were asked to set up an environment that allowed organisations to share IT infrastructure from one government department to another. To do that they needed secure endpoints. All of these departments were operating off the same standard in terms of security posture of the endpoint, but they also needed the ability to identify devices across the organisation. We were engaged to build a security-focused operating system that met that requirement for a secure endpoint. We also implemented a remote attestation protocol so that those devices could prove not only the identity but also the integrity of the device across multiple organisations and departments, even those outside of government such as contractors and third-party suppliers and partners. So in effect we provided the assurance that devices running on Paradox were always in a known healthy state.
So, as I say, this work started with government and is particularly applicable for classified environments where there is the need for a high degree of confidence in the health of the desktops that are being used to access private cloud services, but now we have found that Paradox also maps into the private sector.
Don’t get me wrong, we are not looking to replace all desktops in large enterprise organisations. Where we fit is within organisations who have a high value requirement that justifies deploying Paradox. Let me give you a few use cases. Recently we deployed Paradox into a Security Operations Centre (SOC). The devices that are running the SOC needed to be in a very secure and healthy state. We have also deployed Paradox into kiosk systems where the public need to access services, for example in , train stations and travel agencies, as this provides a very simple way for organisations to push out a very secure but easy to manage software environment across a very geographically dispersed device landscape.
Likewise, remote access is another use case for Paradox, whereby organisations want to gain a high degree of confidence that employees are accessing services from a known healthy state. Travel kits is another good example. Often organisations are challenged with determining what device their executives can use that is lightweight when they travel. Executives, travelling with laptops, need assurance that they haven’t been tampered with; Paradox provides a very easy secure travel environment.
And finally, one of the key benefits from a management perspective is that we solve one of the big challenges that organisations have today around patch management. The average time to effect a data patch is still far too long because patching can be quite complex for organisations; it is not just about the OS but all the applications and the compatibility between the different apps and operating systems. With Paradox we simplify and automate the patching process and in the process this helps organisations to avoid the risk of vulnerable endpoints.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.