Endpoint management is a crucial control for ensuring the security of an organization's data and systems. By defining, implementing, and evaluating processes, procedures, and technical measures, organizations can enforce policies and controls on all endpoints that access their systems or store, transmit, or process their data. Effective endpoint management is essential in today's mobile-first world where data often lives on a plethora of devices outside the traditional corporate network perimeter.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which you can download at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM is a cybersecurity control framework for cloud computing, composed of 197 control objectives structured in 17 domains covering all key aspects of cloud technology. Additional useful reference material on endpoint management best practices can be found in the CIS Benchmarks (https://www.cisecurity.org/cis-benchmarks) and NIST SP 800-124 Rev. 2 (https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final).

Who should care?

This control is relevant to:

• IT administrators responsible for managing and securing endpoints
• Security teams that need to monitor and protect data on endpoints
• Compliance officers who must ensure endpoints adhere to regulatory requirements
• Executives and business leaders who are accountable for securing company data

What is the risk?

Without proper endpoint management, organizations face several risks:

• Data leakage if sensitive info is stored on lost/stolen/compromised devices
• Malware infections that can spread from unprotected endpoints to the network
• Non-compliance with regulations like HIPAA, PCI-DSS, GDPR, etc.
• Insider threats if access controls and permissions are not centrally enforced
• Shadow IT if users install unapproved apps that IT has no visibility into

While endpoint management alone cannot completely eliminate these risks, it significantly reduces their likelihood and potential impact through preventive and detective capabilities.

What's the care factor?

Endpoint management should be a high priority for most organizations given the prevalence of remote/mobile workers and cloud-hosted data. Securing endpoints is foundational to an effective security program. However, the specific level of controls needed depends on the organization's risk tolerance and the sensitivity of the data being accessed from endpoints. A good rule of thumb is that endpoints with access to regulated data (e.g. PHI, PII, PCI) or business-critical systems should have the strictest controls.

When is it relevant?

Endpoint management is relevant whenever an organization has:

• Company-owned devices issued to employees (laptops, mobile devices, etc.)
• BYOD policies allowing personal devices to access company apps/data
• Remote workers connecting to the corporate network
• Third-parties (contractors, partners, etc.) needing access to internal systems
• Compliance requirements around data protection and access control

It may be less relevant for organizations with mostly on-prem workers using only desktop computers, or those that prohibit any company data from being stored on endpoints.

What are the trade-offs?

Implementing endpoint management controls requires an investment in:

• Software agent licenses for a unified endpoint management (UEM) platform
• IT staff time to define policies, configure the UEM, deploy agents, monitor alerts, etc.
• Some impact to end-user productivity, e.g. waiting for software installs/updates
• Reduced flexibility for power users who may resist IT controlling their devices
• Ongoing operational expenses for UEM software maintenance and staff

Organizations must balance the security benefits against these costs and organizational friction. The most successful endpoint management programs use a phased rollout, user education, and reasonable policies to minimize disruption.

How to make it happen?

1. Inventory all endpoint types (desktops, laptops, mobile devices, etc.) accessing company systems. Don't forget less obvious endpoints like smart TVs, point-of-sale terminals, badge readers, etc.
2. Assess the sensitivity of data stored/accessed and applicable compliance reqs for each endpoint type. Group them into risk tiers (low, medium, high).
3. Define security policies for each tier covering aspects like:

• Passcode requirements (length, complexity, idle timeout, failed attempts)
• Encryption for data-at-rest and in-transit
• Software whitelisting/blacklisting and patch management
• Anti-malware, host firewall, DLP, and other endpoint protection
• User privilege limitations (standard vs admin)
• Permitted cloud services and shadow IT restrictions
• Location tracking and remote wipe for lost/stolen devices

4. Select a unified endpoint management (UEM) platform that supports your endpoint types and policy requirements. Leading vendors include VMware Workspace ONE, Microsoft Intune, IBM MaaS360, Citrix Endpoint Management, ManageEngine Desktop Central, etc.
5. Install the UEM management console on a dedicated server in a secure network zone. Harden the server as per your organization's server security standards.
6. Configure the UEM policies and settings. Test them with a small user group before rolling out more broadly.
7. Deploy the UEM agent to endpoints using your software deployment tool. For BYOD, provide instructions for users to install it themselves.
8. Verify devices are checking into the UEM console and receiving the expected policies and software/updates. Monitor for any errors or performance issues.
9. Establish processes for employee onboarding/offboarding, lost devices, compliance audits, etc. Train IT staff and document all procedures.
10. Regularly review UEM reports for unused devices, non-compliant endpoints, threats detected, etc. Fine-tune policies based on real-world usage.

What are some gotchas?

• The UEM management server becomes a prized target for attackers. Lock it down and monitor closely for unauthorized access attempts.
• To deploy UEM agents and enforce policies, the UEM admin needs local admin rights on endpoints (e.g. SCCM Client Push Installation requires the "Domain Computers" group). Carefully control and audit these powerful permissions.
• Certain endpoint security tools (DLP, CASB, etc.) require installing kernel-level drivers. Test extensively before broad deployment to avoid system instability or performance degradation.
• Personal devices may have old/jailbroken/rooted OSes that aren't compatible with the UEM agent. Define minimum supported OS versions in your policy.
• Apple MDM profiles only apply to corporate-owned iOS/macOS devices enrolled via DEP/ABM. For personal devices, use a MAM-based container approach.

What are the alternatives?

For organizations that can't justify a full-featured UEM tool, some lower-cost/overhead options to consider:

• Group Policy for centrally managing Windows endpoints (no mobile support)
• Jamf Pro or Fleetsmith for managing Mac endpoints
• Android Enterprise or iOS/iPadOS MDM for basic mobile device management
• OSQuery for endpoint visibility and configuration monitoring
• Standalone endpoint protection platform (EPP) for threat prevention w/o mgmt

However, these point solutions lack the comprehensive, unified approach of a true UEM platform. They may suffice for smaller organizations but become unwieldy to manage at scale.

Explore Further

• NIST SP 1800-22 "Mobile Device Security: Bring Your Own Device (BYOD)" https://www.nccoe.nist.gov/library/practice-guide/nist-sp-1800-22-mobile-device-security-bring-your-own-device-byod
• CIS Benchmarks for OS hardening https://www.cisecurity.org/cis-benchmarks
• "Gartner Magic Quadrant for Unified Endpoint Management Tools" (industry analysis of UEM vendors) https://www.gartner.com/doc/reprints?id=1-1FXQ5S5B&ct=210412&st=sb
• "10 Best Practices for Successful BYOD Management" https://www.cybersecurity-insiders.com/10-best-practices-for-successful-byod-management/

This control maps to:

• CIS Controls v7.1 12.1, 12.4, 12.8 (Boundary Defense)
• NIST SP 800-53 rev5 AC-19 (Access Control for Mobile Devices), MP-7 (Media Use)

‍