krishnacreations - Fotolia

Manage Learn to apply best practices and optimize your operations.

Improve endpoint security protection with advanced tools and techniques

Better endpoint security protection is possible with NAC, DLP and other tools and techniques. Learn how they fit together to improve enterprise endpoint protection.

Given the diversity of devices, combined with the wide assortment of users who now connect to an enterprise network, absolute security may be impossible. But better endpoint security protection can be attained. There are various technologies that can help safeguard data stored on endpoints while protecting the network from devices that may be vulnerable to attack or already compromised. Network access control, data loss prevention and robust data destruction can work together for better endpoint security protection and prevent devices from putting enterprise data at risk.

What NAC does

Network access control (NAC) is a key technology for admission control, based on the overall security posture of users and their devices. Preadmission security policy checks, and the ability to automatically remediate noncompliant devices, ensure that each endpoint meets a minimum level of compliance before it can fully connect to the network. This not only ensures that endpoints are capable of protecting themselves from attack by malware, but also stops them from putting the rest of the network at risk. NAC can leverage user and device profiles in back-end data stores, such as Lightweight Directory Access Protocol, RSA and Active Directory. This enables routers, switches and firewalls to work together to determine who or what is trying to connect to the network and assign the appropriate access. This provides better endpoint security protection through greater coordinated defense-in-depth with security controls able to share their knowledge of network and device behavior.

NAC products can provide detailed information about the status of an endpoint's security: Are all necessary patches applied? Is hard-drive encryption enabled? Is the host-based firewall running? Which ports are open? While answering these concerns, and more, context-aware capabilities provide ongoing protection during each network session. Support for more specialized equipment -- such as point-of-sale systems, kiosks, supervisory control and data acquisition systems that may connect to the network -- is also important, as is integrating NAC with mobile device management technologies so that the security status of mobile devices can be checked.

Where DLP fits

While NAC can keep endpoints compliant and control their access to resources, data loss prevention (DLP) technologies provide better endpoint security protection by defending the data on devices from unauthorized attempts by careless or malicious users to copy or share it. DLP tools use deep content filtering to inspect and control the data a user or device is trying to download, copy, print, share or transfer to both prevent unauthorized use and stop sensitive data from leaving the network. This provides real-time data protection as user accounts can be automatically disabled or devices quarantined as soon as a suspicious data -- e.g., large uploads or downloads, odd login times and so on -- transfer begins.

They can be stand-alone or cloud-based tools, or integrated into existing endpoint security suites. Extending data loss prevention to mobile devices, whether corporate- or user-owned, usually requires some form of mobile device management product. Many of these can also ensure data on mobile devices is always encrypted.

Required: Data Destruction

Encryption should, of course, be used on all endpoints, but the less sensitive data left on devices, the better it is for endpoint security. The turnover of network endpoints has never been higher, and data destruction polices need to be applied to all devices that have the ability to store data. Correctly sanitizing an endpoint's drive or flash storage when it is reassigned or decommissioned is essential to destroying all the electronic data on it; normal file deletion commands only remove pointers to the data, which means it takes only a trivial effort, using common software tools, to recover the actual data.

Better endpoint security protection requires reducing the number of endpoints holding forgotten copies of classified information, which reduces the chances of enterprise data being leaked or exposed. Combining robust data destruction with NAC and DLP technologies will greatly improve the overall security of endpoints and the data they store or process. 

Next Steps

Learn how to select antimalware protections to depend endpoints

Read TechTarget's essential guide to mobile endpoint security

Discover security monitoring tools that sweep for endpoint, and other, threats

This was last published in October 2016

Dig Deeper on Network Access Control technologies