In recent times, the concept of working from home has evolved from a convenience to a necessity. We are familiar with the numerous benefits of a home office. But it also brings potential risks to company data as employees connect from outside the company’s network and from various devices, including personal laptops. The Verizon report on data breach investigations found that 70% of breaches occur at the endpoint level. Endpoints have thus become prime targets for hackers, making endpoint security a critical concern.

To help you address these challenges, we present 7 useful tips to secure your endpoints. By implementing some of these measures, you can add a certain level of protection to your work and sensitive information, ensuring a secure and productive remote work environment.

1. Deploy a Virtual Desktop Infrastructure

Deploying a Virtual Desktop Infrastructure (VDI) is a well-known way to improve data security as all the company data is stored in the company’s datacentre and not locally on the endpoint. Even if the endpoint is lost, the integrity of the data is not comprised since all the data is stored in the company’s datacentre, and accessible from anywhere, from any device. Furthermore, VDI also enables centralized management. Unlike DaaS or public cloud / hybrid-based approaches, VDI relies solely on the company’s resources, and not on public clouds.

2. Implementing Zero Trust approach

As the name suggests, in a Zero trust approach you do not trust any user or registered device even if the traffic is from a trusted source.

The zero-trust security model is an approach where access to an enterprise’s digital resources is denied by default and authentication to users is granted only to applications, data, services, and systems they need to do their jobs.

Instead of focusing on user and device locations relative to the perimeter — i.e., inside or outside the private network — the zero-trust model grants users access to information based on their identities and roles, regardless of whether they are at the office, at home or elsewhere.

In zero trust, authorization and authentication happen continuously throughout the network, rather than just once at the perimeter. This model restricts unnecessary lateral movement between apps, services and systems, accounting for both insider threats and the possibility that an attacker might compromise a legitimate account. Limiting which parties have privileged access to sensitive data greatly reduces opportunities for hackers to steal it.

Zero trust messaging from vendors can be confusing and sometimes inaccurate.No one-size-fits-all, out-of-the-box zero-trust product or suite of products exists. Rather, zero trust is the overarching strategy involving a collection of tools, policies, and procedures that build a strong barrier around workloads to ensure data security. These solutions can include MFA solutions, access control solutions, monitoring tools, specific set of policies, working methods, etc. It is more a methodology than a particular tool.

Gartner has predicted that by 2025, 60% of organizations will embrace a zero-trust security strategy.

3. Opt for a Thin Client OS for your endpoint

Endpoint OS determines to a great extent the level of endpoint security. Using Windows may be convenient for users, but it’s convenient for hackers too… A Thin Client OS (for example, Linux-based read-only OS) can help you get rid of costly anti-virus solutions too and make endpoint management much easier.

In a read-only operating system (OS), any file you create/modify during your session is temporarily stored in volatile memory. However, when you reboot the system, this memory is completely erased. Therefore, even if a hacker manages to gain endpoint access and install malware, any suspicious file will be completely erased once the endpoint is shutdown. It is also a protection against users installing programmes on their own, or modifying the local configuration. This is the beauty of read-only OS: the administrator has total control over it. Having a Thin Client OS for your endpoint also means that you can manage your endpoints remotely from anywhere using a centralized remote management console.

How do you provide your employees with an endpoint containing read-only Thin Client OS if your company embraces the BYOD policy?

An interesting option could be to provide them with a bootable USB containing a read-only Thin Client OS, which temporarily converts the endpoint’s OS into a thin client OS once the USB is plugged in. The user can go back to its previous OS by simply removing the USB, as shown below.

Temporarily change the OS of your PC to ZeeOS

4. Disable local endpoint configuration for the end user

Thin clients also have the advantage to be locked for the user. Indeed, in an ideal scenario, the endpoints should be configured only using the remote management tool which comes with the Thin Client. Too many thin client vendors allow local configuration or, even worse, local authentication on a thin client, defeating the initial purpose of a thin client, being to have no data stored locally. Ideally, the desired configuration should be set by the administrator only and pushed to the endpoints. We have written a dedicated blog on why you shouldn’t provide local endpoint configuration to your end users.

5. Implementing MFA and a strong password policy

Define a password policy to avoid weak passwords such as qwertyuiop, 1234, date of birth, etc. Educate employees to set passwords that are lengthy and complex (mix of uppercase and lowercase letters, numbers, symbols, etc.). The passwords should also be changed on a regular basis.

You can use a password vault such as ZeeKey which stores and auto-populates credentials for each account. In this way the end user doesn’t need to know the credentials for every account, ZeeKey fills the credentials automatically. Furthermore, these credentials are not stored on any cloud or server and are saved locally on the fully encrypted USB, which can be revoked anytime, just like a credit card.

Additionally, you can enable two factor-authentication to add an additional layer of security. MFA solutions such as ZeeOTP usually offers multiple ways to authenticate (push notifications, OTPs, smart card, etc.).

6. Pay special attention to your temporary workers

Pay special attention to security policies applied to temporary workers, the reasons being:  

  • They aren’t aware of your company’s security practices and it can also be difficult to train them for the same because of the short time they stay in the company.
  • Are more likely to use their own device more often than regular employees.
  • Can have access to sensitive data whereas they are not fully a part of the company.

ZeeTransformer comes handy in this situation to temporarily convert their personal device as a standardized endpoint to access the company’s virtual workspace in a secure way. The user just has to plugin and boot from the USB containing ZeeOS when he starts the work and plug out when his work is completed. The endpoint acts as a Thin Client as long as the USB is inserted.

In addition, if you do not want to provide credentials to temporary workers, ZeeKey can help. You can save all the required credentials on ZeeKey. When the user wants to log in to an application, he just has to plugin ZeeKey, and the credentials will be auto-populated without the user knowing the credentials.

7. Implementing Remote Browser Isolation (RBI)

Remote Brower Isolation (RBI) helps to mitigate potential security risks by running all the web browsing actions on a remote server, distinct from the local device. Through RBI, the user interacts with a rendering of the website and not the actual code. This can help protect the device and network from any harm that could come from visiting a compromised website.

In addition to all the tips listed above, don’t forget the basics:

  1. Regularly update software and install security patches as soon as they are released.
  2. Monitor your infrastructure, especially the network which is the most vulnerable to attacks. For example, you can test machine learning-based detection solutions such as Network Detection and Response (NDR) or Endpoint Detection and Response (EDR) tools.
  3. Educate employees about security best practices.   

ZeeTim’s mission from day 1 has been to provide a secure, easy to use, and easy to manage endpoint experience to access virtual workspaces. Endpoint security has always been at the core of our concerns. Therefore, after a 25-year long experience with a variety of clients, we are proud to have developed a full Thin Client EUC-oriented solution called ZeeTerm composed of:

In addition, we have also developed add-on solutions for virtual desktops, for specific needs:

By using ZeeTim’s EUC-oriented solutions, you can effectively address several endpoint security concerns, such as BYOD, remote endpoint management, malware and virus attacks, unauthorized access, etc. all in one solution. This allows your IT team to lighten their workload and gain some serenity when it comes to endpoint security.

Repurpose your endpoints today with our endpoint repurposing tool and test our solution by yourself. We provide 10 free licenses to repurpose your devices. Yours to keep, no commitment.