Sidewinder on Endpoint Security
NHS Connecting for Health has awarded McAfee a 700,000 license contract for its Endpoint Encryption solution. Davey Winder reveals just why endpoint security is such a hot potato.
A laptop was stolen recently from a car belonging to a manager at Colchester University Hospital. It contained the personal data of several thousand patients. The laptop was password protected, but the data was not encrypted.
“The truth of the matter is that simple anti-virus software plus a firewall does not cut it anymore.”
On the face of it, this was surely a clear breach of Department of Health policy, which requires NHS mobile devices to be protected by encryption. And it’s certainly proof, if proof was required, that it is time for the NHS to start taking endpoint security seriously.
Educating for the endgame
Jamie Cowper from enterprise data protection experts the PGP Corporation certainly thinks so. “Staff at the NHS trust involved were reminded that patient details should not be stored unencrypted on laptops,” he tells me.
“Yet this reminder clearly went unheeded. Perhaps there needs to be some basic education carried out within public sector organisations that password protection on its own does not equate to encryption.”
Indeed not, and it isn’t just the “password as protection” perception that needs to change. The truth of the matter is that simple anti-virus software plus a firewall does not cut it anymore.
“The systems used to protect endpoints in the past are certainly not sufficient enough to protect endpoints today or tomorrow,” says Sean Martin from security specialists SkyRecon Systems.
“Endpoint protection needs to be an integral part of security architecture, but is not a magic bullet solution on its own.”Recent studies suggest that as much as 75 per cent of all computer-related data losses come from a combination of incidents that include viruses, unauthorized access and physical loss of hardware; which is why endpoint security has become a focus for NHS Connecting for Health (NHS CFH) of late (more on this below).
Encryption “on steroids”
Think of endpoint security as the guardian that protects any device where data is stored - literally the end point in the data chain - and which makes sure that this data remains safe even if the device itself is lost, stolen or otherwise compromised. Think of it as encryption on steroids.
Adding content and port controls can prevent data from getting onto the wrong devices and into the wrong hands in the first place (sorry nurse, you cannot copy that file onto your iPod) and if it somehow does, then encryption prevents that breach from becoming a major problem.
Endpoint security and the policy imperative
Dr Mark Ferrar, director of infrastructure at NHS CFH, has said that “protecting patient data and NHS operational data against data security threats is essential.” Nobody would argue against that, but – as he would surely recognise – doing it will require more than jumping on the endpoint security bandwagon.
Scott Nursten from network security outfit s2s says: “endpoint security hinges absolutely on the security policy and the success of any security policy relies on good user education.”
Malware software specialist Gerhard Eschelbeck from Webroot agrees. “Today’s malware is complex and sophisticated and requires a multi-layer protection strategy,” he says.
“The first layer of defence sits deep in the cloud, and close to the root of the problem. Web and email are the main infection vectors for malware, which need to be dealt with in the cloud.” Endpoint protection needs to be an integral part of such security architecture, but is not a magic bullet solution on its own.
Case Study:
In a typical case of endpoint security in action, South London and Maudsley NHS Foundation Trust faced a threat from within: a proliferation of USB flash drive devices. It wanted software that could identify and control the use of USB devices, to protect the data on the more than 4,000 PCs in use across the trust.
Sanctuary Device Control uses a “positive security model”, whereby only known and trusted devices are allowed to connect to the network. Chris Irving, services manager, said: “I recommended Sanctuary Device Control as the best product for the job, because it not only detected that USBs were being connected to the trust’s IT network, but it could also tell us which make and model of USB device that our staff members were attempting to store data onto.”
As Andrew Clarke of Lumension Security says “Technologies such as anti-virus where only ‘known bad’ is blocked have become ineffective, and only allowing the ‘known good’ approach is now viewed as more pragmatic. The NHS needs a unified endpoint security solution to deal with the complex nature of today's threats.”
McAfee Endpoint:
McAfee Endpoint Encryption, formerly known as SafeBoot, has been chosen as an
encryption solution for removable media and full disk encryption for use across the NHS in England.
It is an enterprise class solution, integrating with existing software deployment tools and can be deployed in both standalone and organisation-wide scenarios. It will encrypt mobile devices including Microsoft Windows Mobile 2003, Windows Mobile 5.0 and 6.0, and Pocket PC.
On the hardware side of things, it works to encrypt removable media including USB sticks and USB hard disks, as well as data objects that can be written to removable media such as CD or DVD, attached to e-mail messages or placed on network file shares.
Trial access can be requested by emailing nhs@safeboot.com, and will cover 30 days of usage across 20 clients. Trusts are responsible for implementation and administration costs.
NHS CFH has a policy of not procuring support as part of software licensing agreements. However, there are three years of software upgrades and patches included, along with limited usage support available through McAfee's website.
See the Connecting for Health website for more information.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years. In June, he won the Security Journalist of the Year 2008 award: the second time he has been given this honour in three years.