1. What is the underlying issue behind end-point security, and why is it becoming increasingly difficult for companies to address it? Define the problem in your own words using examples from the case.

2. What are the different approaches taken by the organizations in the case to address this issue? What are the advantages and disadvantages of each? Provide at least two examples for each alternative.

3. A majority of respondents to a survey discussed in the case described their company as trusting. What does this mean? What is the upside of a company being trusting? What is the downside? Provide some examples to illustrate your answers.

sers say protecting network end points is be- the range of what devices, which translates into different levels of protection for classes of users on myriad devices. Equally important is keeping sensitive information off movable media that can plug into USB ports. The depart "Deciding the appropriate device defense becomes the ment uses Safend's USB Port Protector product that either No. 1 job of endpoint security specialists," says Jennifer denies access to sensitive documents or requires that they Jabbush, chief information security officer of Carolina be encrypted and password-protected before being placed on the removable device Advanced Digital consultancy. Depending on the device and the user's role, end points need to be locked down to a veryone's talking about the insider threat. But pro- tecting data can't supersede the requirement to gi eater or lesser de For instance, Wyoming Medical Center in Casper, users the access they need to do their jobs-otherwise Vyoming, has four classifications of PCs: "open PCs in soon you'll have neither business data nor employees to hallways for staff use; PCs at nursing stations; PCs in of worry about. fices; and PCs on wheels that move between patient Striking a balance between access and protection rooms and handle very specific, limited applications," says isn't easy, however. In an Information Week Analytics/ Rob Pettigrew, manager of technical systems and help DarkReading.com Endpoint Security Survey of 384 busi ness technology pros, 43 percent classify their organiza ettigrew is deploying Novell ZenWorks to 850 of tions as "trusting," allowing data to be copied to USB the center's 900 PCs in order to make sure each class has drives or other devices with no restrictions or protective desk for the center the right software. With 110 applications and 40 major medical software systems to contend with, that makes a measures. Still, IT is aware of the need to move from a stance of huge matrix of machine types and restrictions to contend securing end points to assuming that laptops and smart phones will be lost, good employees will go bad, and virtual physicians in affiliated clinics can access machines will be compromised. Instead of focusing on end via SSL VPN (a kind of VPN that is accessible over Web points, let fortifications follow the data: Decide what must browsers), but they are limited to reaching Web servers in a be protected, find out everywhere it lives, and lock it down physician's portal that is protected from the hospital data against both inside and outside threats, whether via encryp network. Some Citrix thin-clients are also used to protect tion, multitiered security suites, or new technologies like with, he says. data loss prevention (DLP). data from leaving the network, but overall the strategy for unmanaged machines is a work in progress, Pettigrew says. DLP suites combine network scanning and host- "We're hoping to get more help desk to deal with the ex- based tools to collect, categorize, and protect corporate intellectual property. These products can maintain an cern that can be addressed by end-point archive of data and documents, along with associated ecurity is data privacy, which is paramount for the permissions by group, individual, and other policies Los Angeles County Department of Health Services in They then actively scan internal networks and external California, says Don Zimmer, information security of- connections looking for anomalies. This takes data pro- ficer for the department. He supports about 18,000 tection beyond perimeter or end-point protection: DLP desktops and laptops and operates under the restrictions faciliates internal safety checks, allowing "eyes only" f Health Insurance Portability and Accountability Act data to remain eyes only and minimizing the risk that (HIPAA) regulations. "That means disk encryption," sensitive data will be viewed by the wrong folks, even ternal physicians, he says. ne sa