Microcosm of a massive security problem

Some interesting trends emerge when Jon Oltsik gives a talk on endpoint security and asks the attendees about their IT infrastructure and their plans for it.

A few weeks ago, I gave a presentation to a number of companies about the future of endpoint security. During this presentation, I had the opportunity to ask these folks a number of questions about their IT infrastructure and their plans for it.

There were only about 20 organizations represented, so this was far from a statistically significant research project. Nevertheless, there were some interesting trends:

1. Only one of the organizations was upgrading its endpoint to Vista. It turns out that the one company is a Microsoft business partner so it has to do so. Others said they have no reason to move to Vista and will consider a move to Windows 7 when it arrives in 2009.

2. Seven organizations were experimenting with desktop virtualization, and many of the others were interested in doing so. It seems like this technology has a very bright future.

3. None of the organizations was taking advantage of the Trusted Platform Module (TPM), a security chip that is embedded in all new PCs. Users complain that they like the security functionality but that TPM is simply too complex to roll out to nontechnical users.

4. All of the organizations represented used full-disk encryption on their laptops.

5. None of the organizations was using any type of port blocking technologies (i.e. security tools that limit the use of devices connected to USB and other ports), though most were interested in looking at this.

6. About half of the organizations let end users use their company-issued PCs for personal use. The other half had policies and technology safeguards in place to preclude them from doing so.

7. Most of the organizations had implemented or planned to implement Network Access Control (NAC) technologies, but many were confused with the current status of this technology.

The audience was made up of pretty sophisticated organizations with ample security resources, yet even these security professionals were quick to admit that endpoint security remains complex, confusing, and full of vulnerabilities. In this regard, my small informal discussion with security professionals was a valid microcosm of the massive problem we face.