Trusted Computing

[awk]

Taking Comply to Connect on the Road - Virtually

http://www.trustedcomputinggroup.org/community/2012/04/taking_comply_to_connect_on_the_road__virtually

by Lisa Lorenzin, Juniper Networks
April 2012


If you lost your corporate laptop tomorrow, how much could its next owner learn about your company? If you work for NASA, the answer is "a lot" - one stray laptop contained command codes for the International Space Station! With the proliferation of mobile devices such as laptops, tablets, and smartphones, the barriers protecting sensitive and critical information have become more porous than ever before. But data loss isn't limited to mobile devices, and it isn't always as obvious as watching a taxi drive away... The RSA data breach resulted from a trusted endpoint that was compromised by malware, with the user none the wiser.

Controlling access to sensitive resources is an essential part of information security. Traditionally, access controls have focused on user identity and roles. However, many recent attacks focus on compromising an authorized user's endpoint, then using that endpoint with the user's credentials and privileges to launch further attacks such as extracting confidential data or infecting other endpoints. One of the best ways to protect against such attacks is to ensure that the user's endpoint is equipped with required security controls such as self-encrypting drives, and up to date on applicable patches and security updates, by verifying the security of endpoints both when they connect to the network and continuously thereafter. This technique is known as Comply to Connect, since endpoints must comply with enterprise policy before they are allowed to connect to protected networks and resources.

The increasing proliferation of consumer devices on business networks under the "bring your own device" (BYOD) technology approach, coupled with the growing trend among information workers to stay connected at home, on the road, and just about anywhere, have created new challenges for network administrators responsible for ensuring device health, network security, and protection of corporate assets. Comply to Connect is a standards-based solution that addresses the problems many organizations face: how to ensure network security while allowing a wide range of individual devices to connect.

Earlier this year, at the RSA Security Conference in San Francisco, I had the opportunity to demonstrate a Comply to Connect system at the Trusted Computing Group's pre-conference workshop focused on the paradox of security. I've been participating in this annual TCG workshop for several years - demonstrating various types of security solutions based on open standards from the Trusted Network Connect (TNC) work group - and this year's workshop was by far the easiest for me. Rather than assembling my usual Rube Goldberg contraption of power strips, appliances, switches, cables, and monitors, I brought a single laptop!

The demo was simple; I showed an endpoint connecting to an environment protected by an access control system that assessed my endpoint and ensured that it was in compliance with required policies before allowing me access to resources. If I caused the endpoint to become out of compliance with the required policies, the system responded based on the severity of the problem: automatically fixing the problem for me, in some cases, and in other cases restricting my access until I took action to bring the endpoint back into compliance. Not rocket science! TNC-enabled technologies have been offering this functionality for years.

But two things were different this year. One is that instead of building my Comply to Connect system onsite, as I've done for other demos in previous years, I was connecting via SSL VPN to a lab environment in Bellevue, then running RDP across an encrypted tunnel to control the demo endpoint. You could say that I moved my demo to the cloud! (It's certainly easier than shipping boxes of gear across the country and hoping that the shipper doesn't decide to route them to Timbuktu instead. Although it does help to be able to reach the online demo environment.) And, more importantly, it reflects a very real use case for companies who want to enable their mobile, always-on, 24/7 workforce today.

And the other is that more people were interested in my demo than ever before. People have been saying for years that NAC is dead (Hi, Mike! Smile ) - but in reality, it's experiencing a quiet renaissance as one of the security controls enabling BYOD. The difference is that now we're focusing on the business problem to solve, rather than a particular technology to solve it - which is probably what we should have been doing all along. Users don't care whether the enabling technology is RDP or GoToMyPC, NAC or VPN - they simply want access to anything, from anywhere, at any time. Companies are embracing the cost reductions and benefits to productivity - and TCG is leading the way in enabling the technology administrators need to support this new model while minimizing the risks involved.