Endpoint Protection Requirements in Common Compliance Standards

Endpoint protection solutions are deployed on endpoints, such as employee workstations, mobile devices, servers, and cloud virtual machines (VMs), to protect them against cyber threats. These solutions cover the security gaps left by traditional antivirus technologies. Endpoint protection provides multiple layers of protection that can address advanced threats such as data leaks, sophisticated malware, advanced persistent threats (APTs), and zero-day exploits.

Most compliance standards have specific requirements regarding cybersecurity. Endpoints are a weak link in the security posture of many organizations. So endpoint protection is an important part of achieving and demonstrating an adequate level of security for a corporate network. In this article, I’ll cover several important compliance standards and how endpoint security can help your organization achieve compliance.

GDPR and Endpoint Protection

The General Data Protection Regulation (GDPR) is a personal data protection law by the European Union (EU). It imposes certain rules on all entities processing personal data to help protect the privacy of EU citizens.

The GDPR applies to EU and non-EU entities processing EU personal data. The GDPR enforces strict penalties for noncompliance, and administrative fines for violations can reach up to €20 million or 4% of annual worldwide revenue (whichever is greater).

Endpoints can help comply with GDPR.

Endpoint security includes various technologies, such as secure web gateways (SWGs), anti-malware solutions, and endpoint management systems. These solutions help ensure desktops, mobile devices, and laptops are not compromised.

Endpoint devices can contain personally identifiable information (PII) belonging to an organization’s customers or employees, covered by the GDPR. Thus, implementing endpoint security can play an important role in complying with Article 32 of the GDPR, which specifies that organizations should:

• Ensure ongoing confidentiality and integrity of data processing systems and services;
• Be able to restore access to personal data promptly in the event of a cybersecurity incident
• Be able to test, assess and evaluate the effectiveness of security controls

The importance of software composition analysis (SCA)

Many organizations deploy their proprietary software on endpoints. This could be business software developed in-house by the organization or third-party solutions heavily customized by in-house development or IT teams.

These proprietary systems are often included in the allowlist of an endpoint security solution and trusted implicitly by security teams. However, even though the organization developed in-house, this does not guarantee they are free of vulnerable, insecurely configured, or even malicious components.

To ensure full protection, organizations must implement software composition analysis (SCA) technology, which can create a software bill of materials (SBOM) detailing all the components and sub-components included in proprietary software. This can guarantee and provide evidence for auditors that a software system does not contain vulnerable or malicious components. Thus, SCA is an important complement to endpoint security.

 Deploying endpoint protection while respecting employee privacy

Endpoint security solutions can be a double-edged sword while enhancing security. They can be used to monitor private data and Internet activity, and thus might have an impact on the privacy of employees using those endpoints. For example, smartphones and tablets are often used for personal as well as business purposes, which means they include private and sensitive information belonging to a company’s employees.

Organizations must reconcile the requirement to protect company and customer data with the privacy rights of employees mandated by the GDPR. The GDPR allows monitoring employees if organizations follow certain rules regarding the extent of the monitoring and the handling of data collected as part of this activity.

Organizations can monitor data for security purposes if they demonstrate that the benefits of security significantly outweigh the reduction in employee and customer privacy. If the organization cannot demonstrate a substantial increase in security, it cannot legally implement data collection and subsequent security protocols. This requirement applies to monitoring device usage on laptops, mobile devices, and desktops.

The GDPR stipulates requirements governing how organizations secure employees’ corporate-owned mobile devices. Organizations using mobile security products like enterprise mobility management (EMM) systems must adapt their solution to comply with GDPR requirements such as:

• Keep a record of how and when employees consent to store and use their personal data.
• Record where the data came from and the parties it was shared with.
• Conduct an information audit to ensure transparency and accountability in the event of unauthorized access to employee data.

HIPAA and Endpoint Protection

Enacted in 1996, the US Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare providers protect patient data against unauthorized access and improper usage. Failure to comply with its guidelines can result in fines and other severe consequences for health providers and their partners.

The HIPAA Security Rule requires organizations to maintain reasonable administrative, technical, and physical security controls to safeguard protected health information (PHI). This includes:

• Ensuring that any PHI the organization creates, receives, maintains, or transmits, is protected to ensure confidentiality, integrity, and availability.
• Protecting PHI and related systems against threats to its security or integrity, unauthorized use, or disclosure.

One way to meet these requirements is implementing multi-factor authentication (MFA) for systems that store or have access to PHI. Restricting access to sensitive systems across healthcare organizations not only safeguards data against outside attackers but ensures that staff is accessing data based on their level of privileges.

Another important aspect is proactive prevention. Endpoint security solutions can safeguard the data and workflows associated with the individual devices that connect to your network, and examine files as they enter the network. Deploying endpoint protection on all devices that have access to PHI can help prevent various threats, including malware and ransomware.

PCI DSS and Endpoint Protection

The Payment Card Industry Data Security Standard (PCI DSS) is a set of policies and procedures intended to ensure the security of credit, debit, and cash card transactions, and protect cardholders against misuse of their personal information.

There are three key PCI DSS requirements that can be met with the help of endpoint security technologies.

Installing firewall software

One of the PCI DSS requirements is to install firewall software or equivalent functionality on any computing device that connects to the Internet and is also used to access the cardholder data environment (CDE).

Endpoint protection solutions typically include a device firewall and can block or detect malicious activity on the endpoint. They provide real-time visibility into inbound/outbound network connections across the organization. The contextual analysis allows security teams to inspect every file on endpoints and determine if an unknown or malicious file is responsible for an unauthorized network connection.

Configuration standards to address security vulnerabilities

Another PCI DSS requirement is to develop configuration standards for all system components, addressing all known security vulnerabilities in line with system hardening standards. Endpoint protection solutions can support this by defining organization-wide policies, which provide complete control over the security configuration on each endpoint.

Deployment of anti-malware

Additional PCI DSS requirements that can be met with the aid of endpoint security are the deployment of anti-malware solutions on endpoints, verifying that anti-malware is up to date, and generating an audit log of anti-malware software. Endpoint security deploys anti-malware functionality consistently across all endpoints and can provide an audit trail that meets PCI requirements.

Conclusion

In this article, I explained the basics of endpoint protection, and showed how endpoint protection can help fulfill important requirements of three compliance standards:

• GDPR – endpoint protection can help ensure the confidentiality and integrity of data processing systems and services, and make it easier to restore access to personal data in a timely manner.
• HIPAA – endpoint protection can ensure that PHI is protected to ensure confidentiality, integrity, and availability, and that related systems are properly defended against reasonably expected threats.
• PCI DSS – endpoint protection can help with three PCI DSS cybersecurity requirements: deploying firewalls, implementing configuration standards, and deploying anti-malware.

I hope this will be useful as you leverage modern security technology to ease your organization’s compliance efforts.

Atlantic.Net stands ready to help you attain fast compliance with a range of certifications, such as SOC 2 and SOC 3, HIPAA, and HITECH, all with 24x7x365 support, monitoring, managed security services, and world-class data center infrastructure. For faster application deployment, free IT architecture design, and assessment, visit us at www.atlantic.net, call 888-618-DATA (3282), or email us at [email protected].