End node problem
{{Other uses|Node (disambiguation){{!}}Node}}
The end node problem arises when individual computers are used for sensitive work and/or temporarily become part of a trusted, well-managed network/cloud and then are used for more risky activities and/or join untrusted networks. (Individual computers on the periphery of networks/clouds are called end nodes.) End nodes often are not managed to the trusted network‘s high computer security standards.{{cite web | url=https://www.lifewire.com/what-is-a-node-4155598 | title=What Is a Node in a Computer Network: Your computer and printer are both network nodes | date=12 December 2018 | accessdate=24 December 2018 | author= Tim Fisher}} End nodes often have weak/outdated software, weak security tools, excessive permissions, mis-configurations, questionable content and apps, and covert exploitations.{{cite web | url=https://www.netguru.co/blog/pros-cons-use-node.js-backend | title=Why to Use Node.js: Pros and Cons of Choosing Node.js for Back-end Development | date=23 March 2017 | accessdate=24 December 2018 | author= Natalia Chrzanowska}} Cross contamination and unauthorized release of data from within a computer system becomes the problem.
Within the vast cyber-ecosystem, these end nodes often attach transiently to one or more clouds/networks, some trustworthy and others not. A few examples: a corporate desktop browsing the Internet, a corporate laptop checking company webmail via a coffee shop's open Wi-Fi access point, a personal computer used to telecommute during the day and gaming at night, or app within a smartphone/tablet (or any of the previous use/device combinations). Even if fully updated and tightly locked down, these nodes may ferry malware from one network (e.g. a corrupted webpage or an infected email message) into another, sensitive network. Likewise, the end nodes may exfiltrate sensitive data (e.g. log keystrokes or screen-capture). Assuming the device is fully trustworthy, the end node must provide the means to properly authenticate the user. Other nodes may impersonate trusted computers, thus requiring device authentication. The device and user may be trusted but within an untrustworthy environment (as determined by inboard sensors' feedback). Collectively, these risks are called the end node problem. There are several remedies but all require instilling trust in the end node and conveying that trust to the network/cloud.
The cloud’s weakest link
Cloud computing may be characterized as a vast, seemingly endless, array of processing and storage that one can rent from his or her computer. Recent media attention {{When|date=February 2019}} has focused on the security within the cloud.{{cite web|title=How Secure Is Cloud Computing?|url=http://www.technologyreview.com/computing/23951/}} Many believe the real risk does not lie within a well monitored, 24-7-365 managed, full redundancy cloud host but in the many questionable computers that access the cloud.{{Cite web |url=http://www.nets-find.net/Meetings/S09Meeting/Talks/clark.ppt |title=Architecture from the top down |access-date=2014-01-07 |archive-date=2021-08-13 |archive-url=https://web.archive.org/web/20210813140541/http://www.nets-find.net/Meetings/S09Meeting/Talks/clark.ppt |url-status=dead }}{{cite web|title=VPN users: The weak link in network security?|url=http://www.builderau.com.au/strategy/businessmanagement/soa/VPN-users-The-weak-link-in-network-security-/0,339028271,320266862,00.htm|access-date=2010-02-06|archive-date=2009-05-11|archive-url=https://web.archive.org/web/20090511131913/http://www.builderau.com.au/strategy/businessmanagement/soa/VPN-users-The-weak-link-in-network-security-/0,339028271,320266862,00.htm|url-status=dead}} Many such clouds are FISMA-certified whereas the end nodes connecting to them rarely are configured to any standard.{{Citation needed|date=January 2013}}
Ever growing risk
From 2005 to 2009, the greatest and growing threats to personal and corporate data derived from exploits of users' personal computers. Organized cyber-criminals have found it more profitable to internally exploit the many weak personal and work computers than to attack through heavily fortified perimeters.{{Cite web|url=http://www.verizonbusiness.com/resources/security/databreachreport.pdf|title = Business Insights and Resources}} One common example is stealing small business's online banking account access.{{cite news| url=http://content.usatoday.com/communities/technologylive/post/2010/03/cyberthieves-stealing--from-large-percentage-of-small-businesses/1 | work=USA Today | title=Cyberthieves stealing from large percentage of small businesses | date=9 March 2010}}
Solutions
To eliminate the end node problem, only allow authenticated users on trusted remote computers in safe environments to connect to your network/cloud. There are many ways to accomplish this with existing technology, each with different levels of trust.
Many companies issue typical laptops and only allow those specific computers to remotely connect. For example, the US Department of Defense only allows its remote computers to connect via VPN to its network (no direct Internet browsing) and uses two-factor authentication.{{cite web|title=Fort Sill Virtual Private Network (VPN) Policy|url=https://sill-www.army.mil/dhr/Admin_Svcs_Div/FS_Pubs/Regs/25-71.htm|access-date=2010-02-06|archive-date=2011-06-17|archive-url=https://web.archive.org/web/20110617013457/http://sill-www.army.mil/dhr/Admin_Svcs_Div/FS_Pubs/Regs/25-71.htm|url-status=live}} Some organizations use server-side tools to scan and/or validate the end node's computer{{Citation needed|date=January 2013}}, such as communicating with the node's Trusted Platform Module (TPM).
A far higher level of trust can be obtained by issuing an [http://spi.dod.mil/docs/SEN_SKG_DS_20081024.doc immutable, tamper-resistant client]{{Dead link|date=March 2024 |bot=InternetArchiveBot |fix-attempted=yes }} with no local storage, allowing it to connect only after device and user authentication, remotely providing the OS and software (via PXE or Etherboot), and then only providing remote desktop or browser access to sensitive data.
A less expensive approach is to trust any hardware (corporate, government, personal, or public) but provide a known kernel and software and require strong authentication of the user. For example, the DoD’s Software Protection Initiative[http://spi.dod.mil DoD Software Protection Initiative] {{webarchive|url=https://web.archive.org/web/20100513172649/http://spi.dod.mil/ |date=2010-05-13 }} offers Lightweight Portable Security, a LiveCD that boots only in RAM creating a pristine, non-persistent, end node while using Common Access Card software for authentication into DoD networks.