CSA CCM UEM-01
Endpoint Devices Policy and Procedures

In today's cloud-centric world, endpoint devices like laptops, smartphones, and tablets allow employees to work from anywhere. However, these untethered devices also introduce unique security risks that must be properly managed. A robust Endpoint Devices Policy is essential for establishing clear rules and procedures to keep sensitive data safe on all your organization's endpoints.

Where did this come from?

This guidance comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. The CCM provides a controls framework for cloud providers and cloud consumers. This specific control, UEM-01, falls under the Universal Endpoint Management domain. For more context, check out the CSA Security Guidance and the CSA Enterprise Architecture.

Who should care?

Several roles will be invested in a solid Endpoint Devices Policy:

  • CISOs and CIOs responsible for overall security strategy and risk management
  • IT managers tasked with operationalizing endpoint security controls
  • Information security analysts monitoring for and responding to endpoint threats
  • Employees using company-issued or personal devices to access corporate data

What is the risk?

Without clear policies governing acceptable use, configuration, and monitoring of endpoints, organizations face several dangers:

  • Data leakage - Sensitive information could be exposed if a device is lost, stolen, or compromised by malware. A policy requiring encryption can mitigate this.
  • Malware infections - Unpatched vulnerabilities or risky user behavior can allow malicious code to infiltrate via endpoints and spread to the corporate network. Mandating anti-malware and patching can reduce this risk.
  • Compliance violations - Many regulations have specific requirements for endpoints. For example, HIPAA requires device encryption. An endpoint policy aligned with compliance needs prevents audit failures and fines.

What's the care factor?

For most organizations, endpoint security should be a high priority because:

  1. Endpoints are a primary malware infection vector
  2. Work-from-home and BYOD significantly expand the endpoint attack surface
  3. Significant financial and reputational damage can result from an endpoint-related data breach

However, the risk level and necessary policy controls may vary based on the sensitivity of data handled by endpoints and the specific industry compliance mandates.

When is it relevant?

An Endpoint Devices Policy is a must-have for any organization allowing remote work, BYOD, or company-issued portable devices. It is especially critical for highly regulated industries like finance and healthcare. Small businesses handling minimal sensitive data may get away with a more lightweight policy.

It may be less relevant for a workforce operating exclusively from a secure office using only desktop computers. But even then, a basic policy is still warranted as insurance against insider threats or physical intrusions.

What are the trade offs?

Locking down endpoints increases security but comes with costs and considerations:

  • User experience - Restrictions like complex passwords, short idle timeouts, and banned apps can frustrate employees. Balance is key.
  • IT overhead - Someone has to define, deploy, and police the endpoint policy. The more complicated the policy, the more staff hours required.
  • User privacy - Monitoring user devices and remote wiping can infringe on personal privacy, especially for BYOD. Get explicit consent.
  • False positives - Strict security policies can block legitimate activity. Plan for a whitelisting process to accommodate exceptions.

How to make it happen?

The basic steps to develop and operationalize an Endpoint Devices Policy are:

  1. Assess risks - Catalog the types of endpoints and data in use. Consider insider threats, external attackers, malware, and device loss/theft scenarios.
  2. Determine policy inclusions - Using the CCM control as a guide, define the specific policy elements you need. Examples: approved device types, authentication requirements, encryption rules, acceptable use guidance, remote wipe criteria, etc.
  3. Draft the policy - Write up the policy details in a clear, concise document. Keep it as simple as possible while addressing the key risks. Engage stakeholders for input.
  4. Deploy technical controls - Configure MDM, EDR, DLP and other security tools to enforce the policy. For example:
    • Push password and timeout policies via Microsoft Intune
    • Whitelist USB devices with SentinelOne
    • Restrict data transfer with Symantec DLP
  5. Educate users - Share the written policy with all employees. Providing training on the "why" and "how" of endpoint security. Make it engaging with real-world examples.
  6. Plan for exceptions - Publish a clear process for users to request policy exceptions. Route requests through managers and security staff for review.
  7. Audit and maintain - Regularly check for policy violations and outdated standards. Use lessons learned to optimize the policy. At least annually, review and refresh the entire policy.

What are some gotchas?

A few things to watch out for when implementing endpoint policies and controls:

  • MDM solutions like Intune require specific permissions for some policy actions. For example, remote wipe needs the DeviceManagementManagedDevices.PrivilegedOperations.All permission.
  • Apple is increasingly restricting MDM functionality on personal devices. Make sure your MDM solution supports User Enrollment for iOS BYOD management.
  • Beware the support burden of a complex policy. If restrictions are too complicated, IT will be flooded with help desk calls. When in doubt, simplify.

What are the alternatives?

While an Endpoint Devices Policy is best practice, there are compensating controls that can reduce risk without heavy-handed device restrictions:

  • Virtual desktop infrastructure (VDI) and virtual app delivery allow secure access to corporate resources without exposing the endpoint. See: Windows 365.
  • Agentless browser isolation platforms like Cloudflare Browser Isolation can protect against web-based threats.
  • Continuous authentication using behavioral biometrics can detect compromised devices. Examples: Microsoft Entra, BioCatch.

Explore further

  • NIST SP 800-124 Rev. 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise - https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final
  • CIS Benchmarks for various device platforms (login required) - https://www.cisecurity.org/benchmark/mobile_devices
  • Related CIS Critical Security Controls:
    • 1.4 Maintain Detailed Asset Inventory
    • 2.2 Ensure Software is Supported by Vendor
    • 2.6 Address Unapproved Software
    • 3.10 Encrypt Sensitive Data on End-User Systems
    • 8.1 Establish and Maintain an Inventory of Administrative Accounts
    • 8.2 Change Default Passwords
    • 13.5 Manage Access Control for Remote Devices
    • 16.2 Establish and Maintain a Process for Managing Incidents

Blog

Learn cloud security with our research blog