Most companies, however, didn’t extend this to its natural next step. Why do we trust our administrative users and software implicitly? Endpoints — whether laptops held by users, servers in the cloud, or embedded devices powering airport displays — are often heavily laden with remote administrator tools in the unified endpoint management (UEM) space. Asset management to inventory and track the contents of the devices. Mobile device managers to deploy software, configure policies and keys. Remote server administration tools (RSAT) to let authorized administrators log in (not to be confused with remote access trojans (RATs), which adversaries use to do the exact same thing). Even enterprise browsers to monitor employee access to the internet. Endpoint detection and response (EDR) to identify when someone has compromised the machine, often by compromising one of the other administrative tools on the device.
Imagine, instead, an endpoint that didn’t trust all these tools. It doesn’t permit remote administration, disallows remote login, and isn’t loaded down with a dozen different agents solving disparate security and IT tasks. Instead, it focuses on its one job: whether that’s enabling its user to safely interact with the internet, running an application server, or putting a display up on a kiosk. It doesn’t trust the employer’s ecosystem, except as a source of email and files, and only then just barely. It certainly doesn’t trust any other clients on the same network; to it, a Starbucks is just as secure as a corporate network — which is to say, not at all. It’s locked down from as many third parties as possible, and it auto-updates using vendor updates (let’s ignore, for a brief moment, the rare risk of auto-updating, highlighted by Crowdstrike’s incident).
In that world, the number of vendors in our ecosystem that can cause us really bad days drops significantly. We still rely on Apple, Microsoft, and Google for our endpoint operations, but those three are far more trustworthy around safety than the collection of IT and security software deployed across the modern enterprise. Instead of worrying about a few dozen vendors whose bad days can kneecap our economy, we’re down to three — three who’ve demonstrated a focus on safety that we sorely need (and that regulators could focus their safety attention on, instead of chasing CrowdStrike while missing all the other risky administrative toolkits out there).