THE CISO’S PERSPECTIVE / 2019 5th Edition – June
In 2017 I had the opportunity to explore endpoint security with a dozen Chief Information Security Officers (CISOs) representing a broad cross section of industry. The research, conversations, brainstorming and detailed analysis not only resulted in a well-received industry report (which is part of a series of CISO driven investigations), it also prompted me to examine closely how we manage and secure endpoints across the UW–Madison campus. In addition to exposing the CISOs concerns on endpoints, the report highlighted the rapidly changing nature of enterprise cybersecurity, particularly with the ever growing amount of work happening outside the traditional firewall boundary with much of that work happening on mobile devices.
These CISOs agree that with the larger surface for bad cyber actors to exploit, something has to be done to better manage and secure the data and data access points.
In April 2018, UW System published the UW System Information Security Program which, among a large group of security guides and initiatives, encourages standardization in tools, processes and approaches to basic cybersecurity functions. As we found out in IT Spend surveys from 2017, at one point the university was managing well over 150 separate endpoint services, each with tools selected based on unit needs and resources. More importantly, the procurement actions for the tools overlapped and required management for each contract (which sometimes covered the same tool from similar vendors).
The key driver behind the current Endpoint Management and Security procurement is to allow UW–Madison to standardize on endpoint management and security solutions that will allow for a much smaller set of tools to cover most of the diverse technology and business use cases. A dividend of this effort is the ability to create and actively manage a campus-wide information technology asset inventory along with the ability to connect all devices and log/report activity centrally to the Cybersecurity Operations Center.
There is also a need to rationalize and strategically source endpoint and security management tools and provide a model for the UW System which seeks savings based on economy of scale. The desire is to offer a small set of flexible endpoint management and security tools that could be supported by a few core campus IT organizations and consumed by many distributed IT organizations.
What we asked for…
As we rationalized the requirements which were contributed by IT professionals from many of the distributed IT teams, it became quite clear that we needed to address not only security issues, but also the device management issues and those unique challenges of mobile devices whether they are university owned or brought to campus under the BYOD – Bring Your Own Device movement.
We had to settle on a definition first. We believe endpoint devices to be those Internet-capable computer hardware devices on our TCP/IP network which may be servers, desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware such as Point of Sale terminals and smart meters, essentially anything but a router or a switch.
Using that definition a team of IT and Security leaders and technologists set out to find the industry for leading and forward-thinking technology solutions that address our disparities in endpoint management and security. We asked for solutions that address operations, understanding of the endpoint activity and vulnerabilities, and management of the endpoint.
Simple task, right?
Here is a deeper dive on what we asked for:
- Ability to identify and track a wide range of university endpoint devices or hardware.
- Ability to manage software and security on university-owned computers, servers, laptops and mobile devices.
- Endpoint encryption (full disk, data in transit, data at rest) and key escrow
- Provide a centralized console for controlling endpoint anti-malware, anti-spyware, Intrusion Prevention System (IPS), firewalls, applications, web security, email security and endpoint status (operating system version, patch levels, hardware version, etc.)
- The ability to display a unified view of security status and asset inventories to our Cybersecurity Operations Center and to the CIO (with the ability for Distributed IT leaders to view their assets).
- Delegated administration with role-based access controls
- Ability to support multiple operating systems in a robust manner; Windows, macOS, Linux, Solaris, AIX, iOS, Android…and those to come
- Integration with central and distributed Active Directory and other directory services
- Support for stand-alone machines (those with no directory services) and the ability to manage endpoints on unmanaged networks
- Integration with campus authentication services
- Integration with our security information and event management (SIEM) platform
- A robust, full-featured Application Programming Interface (API)
- Accessibility for our staff with physical or other challenges that might prevent them from using the tools or accessing the data.
The Request for Proposal was organized into three “lots” to allow for some diversity in tools to support the mixture of campus endpoints and mobile devices. Those lots are Lot A – Endpoint Management Solutions Lot B – Endpoint Security Solutions, and Lot C – Mobile Device Management Solutions.
Credit and appreciation is due for the many people who contributed to this effort from the many technologists who helped develop requirements, to the experts who work with the tools every day who helped the Core Team understand how their endpoints function with the tools at hand, and to the technical experts who reviewed the many proposals for the three lots. Those teams were led by Kevin Cherek (AIMS), Allen Monette (Office of Cybersecurity), and Dave Schroeder from DoIT. applause is also due to Core Team leaders Bobby Burrow from AIMS, Anne Gunther from Letters & Sciences, Nick Tincher from the Research community (and who is now leading the Administrative Transformation Project), Tamara Walker from DoIT, and Ed Murphy from the UW System Administration’s Office of Information Security.
As we close out the proposal phase and select specific tools, the Office of Cybersecurity and the Division of Information Technology will work closely with leaders across campus and with the Distributed IT community. We will communicate early and often to ensure we can have a secure and safe deployment and the best possible defense of the endpoint.
—Bob Turner, UW–Madison Chief Information Security Officer