By Bob Michaud, Q2 Chief Security Officer
Welcome to week three of National Cybersecurity Awareness Month. Because Q2 is a Cybersecurity Awareness Champion, every October I share weekly blog posts on cybersecurity. This year, I’ve been focusing on Q2’s zero-trust framework. Zero trust isn’t about a single technology or layer of security; instead, it’s a holistic approach to security that incorporates multiple principles and technologies.
In this blog, I’ll describe endpoint security and what it means to Q2’s zero-trust strategy.
First, to set the stage for this discussion, allow me a trip down memory lane. Back in high school, I was a defensive back on my school’s football team. I had some really good friends on the defensive line, and we’d get into friendly debates about who was more important: the defensive line or the defensive backs. I’d argue that a mistake by a defensive back could easily mean a touchdown for our opponents, but if a lineman made a mistake, we—the defensive backs—were still there to stop the other team. The linemen argued that, if they did their job well enough, the defensive backs would have nothing to stop—that we were redundant. The truth is, we were all human—and just kids at that—we weren’t perfect, and we needed each other. It took all of us together to successfully and consistently stop the opposing team.
Now let’s bring this discussion back to endpoint security. “Endpoint” refers to the user’s laptop, smartphone, or other device—and these endpoints are a critical component to Q2’s overall zero-trust strategy. Incorporating them augments the security posture of our production environments and extends protection all the way to our end-users’ devices.
Our endpoint security, just like all the members of a football team’s defense, handles both the first and last line of defense in our zero-trust strategy.
For the first line – All of our employee laptops are company-owned and drive-encrypted, with their disabled USB ports. We also equip each with Endpoint Detection and Remediation (EDR) software that uses an AI agent to detect ‘not normal’ behavior.
For the second line – Q2 uses a secure access gateway (proxy) to the internet and User Access Monitoring (UAM) to log end-user activity. Data Loss Prevention (DLP) is also part of our UAM software to keep files from leaving the endpoint.
As you can see, it’s a full team of defensive players. But how effective are they?
I recently asked our CIO, Lou Senko that exact question: “How do we ensure the endpoints are effective as both a first and last line of defense?” Lou explained that because endpoints are a critical part of this posture, we validate that the OS is being
patched, the various tools are active and checking in, and that software versions are up to date. We also do periodic monitoring to ensure laptops are secure by checking their encryption status and making sure their USB ports are disabled.
I also asked Lou what challenges Q2 has solved with our zero-trust endpoint deployments. He explained that as we have grown, so has our use of global workforces and third-party contractors, which has made it difficult for us to enforce the use of Q2-configured and -managed laptops. So now, we’ve deployed an Azure-based virtual desktop with the same controls that we enforce for our other endpoints. Now, the third-parties can log in using whatever device they have, with the virtual desktop as the starting point of access to Q2—and thus begins our first line of defense.
There are multiple additional security layers in this framework, but we will save those for later in the month. Suffice it to say that our endpoint posture helps Q2 significantly reduce the threats of data loss and ransomware while still providing convenient access for our employees and global workforce.
Join me next week as we discuss the next component of Q2’s zero-trust strategy—Secure Access Service Edge (SASE), which provides safe network management.
