Top endpoint management challenges and how the cloud solves them

Aug 03 · 7 min read

Endpoint management challenges with cloud solution

The pandemic accelerated digitization of the workforce; consequently, IT teams around the world began facing multiple challenges in managing their endpoints remotely. With the world shifting back to the work-from-office model, there are new endpoint management challenges that IT managers are tasked with identifying before they become security threats.

ManageEngine's IT team is handling this shift with an effective endpoint management blueprint designed to help them prepare for the challenges ahead.

In this article, we'll look at three endpoint challenges that IT managers can anticipate and how the right cloud solution can help combat them.

Challenge 1: Endpoint accessibility

The first major challenge with the onset of remote work was devices operating outside the corporate network. Following a 100% in-office or hybrid model of work would mean more device movement in and out of the corporate network. The challenge that arises with the hybrid model is when you have to implement a policy across all devices.

Consider this scenario: Our IT team received a security advisory stating that devices in our network must not be allowed to visit a set of websites. The IT team wanted to implement this advisory as a policy on all devices in our network. This is usually done by running a script in our endpoint management solution that restricts blocklisted websites on all devices connected to the solution. Unfortunately, with many employees still working remotely, their devices aren't always connected to the VPN, and the IT team would have to wait until employees connect their devices to the corporate network to execute this policy. However, it's not advisable to wait when there's a security risk just around the corner.

Here are some other scenarios that could pose similar challenges:

  • Imposing restrictions on social media websites
  • Running a script to search for a file across all devices
  • Imposing restrictions on specific software

In such scenarios, waiting until the devices connect to the VPN may not be scalable.

Solution

To tackle this challenge, you could consider one of the following options:

  • Impose an organization-wide policy that mandates all devices must be connected to the corporate network via VPN during working hours.
  • Shift your endpoint management solution from on-premises to the cloud.

The former may not be possible for most organizations, including ManageEngine, due to the constantly evolving post-lockdown work culture. We went with the latter and switched to the cloud.

Since ManageEngine runs on ManageEngine, we tweaked our endpoint management solution to tackle this challenge. We moved our endpoint management server to the cloud so devices could contact the server directly via the internet. This enabled us to execute the security advisory and other policies without delay since the devices don't need to be connected to the corporate VPN.

However, this wasn't an easy plan to implement. We ensured our endpoint management tools were secure enough to be moved to the cloud and could contact any device in the network with just an internet connection. We conducted multiple tests, consulted with experts, and made a well-informed decision to shift to the cloud. If you want to make this shift, you must ensure that your endpoint management tools have passed enough security tests before moving them to the cloud.

Challenge 2: Security beyond antivirus

Cybersecurity attacks have grown exponentially during the pandemic. Attackers saw an opportunity to exploit vulnerable endpoints to access secure networks. Their attacks have become more sophisticated, and it takes more than just antivirus software to protect endpoints. The challenge now is to enhance security features beyond pattern-based antivirus solutions.

Endpoint management has traditionally been about managing the inventory of devices, installing the required applications, applying policies, etc. Traditionally, antivirus software is created based on patterns. There is a database of known vulnerabilities and corresponding hashes for those viruses. If something in your system resembles the hashes in the database, your antivirus will recognize it as a virus.

Today, endpoints are proving to be vulnerable to more than just viruses. If one device entering the corporate network has a weak password, the entire network is at risk. If that device is exposed to a trusted server, attackers can use that machine to reach the server. As much as we must protect servers, we must also protect endpoints. So, how do you secure endpoints from such intrusions?

Solution

You need a built-in security mechanism included in your endpoint solution known as endpoint detection and response (EDR). An EDR system must have the ability to:

  • Detect vulnerabilities and alert the endpoint solution.
  • Perform behavioral analysis to detect anomalies.
  • Detect abnormal and suspicious activities in the device.
  • Detect malware in your files and ascertain the source IP address.

Combining EDR with your endpoint management system makes it more comprehensive. Augmenting features like managed detection and response with EDR can help them better detect and respond to threats.

Securing endpoints strengthens the security of servers. Organizations can take another step in this direction by implementing a Zero Trust model where the network doesn't trust any device or application by default—trust is established step by step depending on the context using least-privileged access.

Challenge 3: Endpoint isolation

EDR solutions work great when you need to find out if an endpoint is affected. Let's consider a scenario where your colleague's device is infected with malware, which EDR can help you detect. However, you would have a new problem if the attacker gained access to your device from your colleague's device, so the connection between these two devices should be restricted. Restricting this lateral movement can be done by creating boundaries for each endpoint and isolating them.

Previously, IT teams focused on strengthening their corporate networks. If the corporate network was secure, you could run an Apache server on your machine, provide the IP to a coworker, and grant access to your applications. Colleagues could share an environment and still feel secure, provided their network was secure. However, if endpoints provide that kind of access today, an attacker could plant malware in one endpoint and get to the other. Malware traveling from one endpoint to the next presents a huge challenge. Recently, a well-renowned global enterprise succumbed to this issue. When one user’s credentials were compromised, the attacker moved from one system to the next, and sensitive data was compromised.

Solution

To combat this challenge, you must set solid boundaries for each endpoint. For example, by mandating two-factor authentication for crossing boundaries, you can block the attacker's access to one endpoint from another. In this case, even if one endpoint (the device) is corrupted by malware, the user responsible for it can be involved in securing the boundaries.

Interaction and access across boundaries must be restricted to machines that you trust and know are secure. For this, consider a model where users will only have access to the network when they enter the office environment. To share data and applications, they must use separate devices. This separation cuts down on the possibility of peer access from one device to another.

As ManageEngine grows and adds more endpoints to its network, we are bound to face more challenges. However, they only help us refine our solutions. Moreover, ManageEngine uses its own solutions to run the organization. Tackling more challenges helps us improve our products and eventually serve our customers more efficiently. If you want a deeper look into our endpoint management framework, check out our e-book.

About the author

Shivaram P R

Shivaram P R, Content writer

Sign up for our newsletter to get more quality content

Get fresh content in your inbox

By clicking 'keep me in the loop', you agree to processing of personal data according to the Privacy Policy.