Page Title

When I founded my company, I was looking for a name that would reflect my years of experience
in PC hardware, but allow for some growth into adjacent areas, particularly other types of client
devices. My first thought was to call it Personal Technologies Associates, a derivative of the name
of the group I had previously run at IDC, a large market intelligence firm. The "technologies" idea
was clear: make it plural. If I had only one technology, people would think I was flogging a patent.
"Associates" was also easy: more than one person says that I'm in the consulting biz, and I did
start with one associate, Fred, my sales guy.

But "personal" was problematic. Internet search engines might associate me with nefarious
businesses engaged in the manufacture of what are sometimes known in polite circles as
"marital aids." So, I began casting about for another term that would convey some of the original
thought without the more stimulating overtones.

At IDC, my title had been Vice President of Client Computing. The term "client" was meant to draw
together two worlds that were thought of as totally separate: desktops and notebooks. In my
mind, their similarities of architecture and function justified thinking about them in the same
breath, despite the mutually suspicious encampments on both sides. Most PC hardware vendors
and their suppliers had distinct groups serving the two "form factors," as we call them, the
physical embodiments of PC architecture. Desktops were stationary clients, while notebooks
represented the mobile version.

I spent years trying to educate people on this meaning of the term client. A client is not a server. It
is that thing attached to the far end of the network. The problem there was that outside the context
of the term "client/server," client sounded more like "customer." Making matters worse, any
highfalutin consulting company worth its salt doesn't have customers; it has clients. So, Client
Technologies Associates was out.

Security to the Rescue

I was reading a text in the security literature when I came across the term "endpoint." Endpoint is
a great word. It's real English, and it means pretty much what I wanted it to mean: that thing at the
other end of the network. The Merriam-Webster online dictionary calls it a noun (but it can function
pretty well as an adjective) with two basic meanings:

a point marking the completion of a process or stage of a process; especially : a point in

a titration at which a definite effect (as a color change) is observed

either of two points or values that mark the ends of a line segment or interval; also : a

point that marks the end of a ray

So, upon finding that company and domain names were available for Endpoint Technologies
Associates, I was off and running. If you peruse my Home Page (www.ndpta.com), you'll see that I
defined it right up front: an endpoint device is at or near the edge of the network, has a single user,
and some sort of human interface. Pretty simple, right? Includes PCs, handhelds, converged
phones, MP3 players, point-of-sale devices, ATM machines, kiosks, portable media players, video
game machines, you name it. A world of opportunity.

However, what I didn't take into sufficient consideration was that the source of the term Endpoint,
the security business, also had a claim on the term. When my good friend and client (er,
customer) Al Sisto, CEO of Phoenix Technologies — which has been migrating from BIOS
supplier to provider of security technology below the operating-system level — called me to talk
about endpoints, he was able to point out exceptions to virtually every one of my rules about what
makes an endpoint. He suggested using a new schema that takes as a point of departure the
idea that every client has an Internet Protocol (IP) address.

Existing Definition

The existing definition has four elements: single user, has interface, at or near the edge of the
network, and quacks like a duck.

Single User. There is a whole class of devices, notably blade PCs or blade clients, that map a
remote user — who has a small desktop "sub-client" — to a full PC in a rack located in the IT
department. Companies that offer blade clients include ClearCube, HP, and IBM. When a user
logs on, he or she is assigned, in some schemes, to his or her blade, or, in others, to a blade of
the right type (e.g., a sales person's blade). These PCs may not be personal, in the traditional
sense, in that you may get a different blade on a different day.

Things begin to get more complicated when the blades are swung over to a new group of users
(say, in transferring the entire help desk from South Dakota to Bangalore at a certain time of day).
Still, these devices can be called clients or endpoints if the definition allows for multiple users
serially. It's only one user at a time, so things work out. However, in this era of virtual resources,
the real leverage for these systems comes when thinly used blades are assigned to multiple
users of a particular class at a time (e.g., four sales people share one blade because all they're
doing is email and filing reports). Now, we've got to ask the question, has our blade become a
server?

Has Interface. A client or endpoint may be known by the fact that people use it. Look for screens,
speakers, keyboards, dials, knobs, switches, buttons, things that can be used by people to
interact with the machine. Yes, servers also have screens and keyboards sometimes, but these
interfaces can be seen as administrative. The server's main business is with other machines,
whether clients or other servers. Works pretty well, right? Wrong.

In chatting with Kip White of the U.S. Department of Interior's Bureau of Reclamation, I learned that
there are many devices, clients at the end of an Internet connection, that actuate sluice controls in
water-control projects. Although in this post-9/11 world he wouldn't say which dams actually use
this system, major projects like the Hoover Dam are actually run remotely. Someone or an
algorithm decides that it's time to flood downstream, and a computer command travels over
TCP/IP to an endpoint that controls a lever, and the gate is lifted. IP address, but no human
interface. Many smaller irrigation projects have similar controls, as do some industrial processes.

At Network Edge. Well, this one may not be so hard. If we accept Al's "has IP address" definition,
then we can make a clean divide between what is and is not an endpoint. My previous definition
depended on the weasel wording "at or near the edge of the network." In this new version, the
network is defined as the IP network, and anything further out on the periphery, despite being
connected by a path that carries electrons, can be though of as a peripheral.

Quacks like a Duck. This is a general category that allows for some flexibility. It is used in the
following manner: "All this definition stuff be stuffed! I know what an endpoint is when I see it!" In
other words, if it has a client operating system and client applications, despite outward
appearances, it's probably an endpoint.

New Definitions

So here we go again, redefining endpoint.

Endpoint Device. An endpoint device lives at the edge of an TCP/IP network, is usually operated
by a single user, and often has a human interface. Simple right?

Endpoint Peripheral. An endpoint peripheral is a sub-client device connected to an endpoint,
usually via a connection that is not TCP/IP. It can include some types of thin clients, traditional
peripherals such as mice, keyboards, and some printers, but not IP-connected thin clients and
printers, which are endpoints themselves. It can include media players and other devices
dependent on a PC endpoint

Endpoint Security. Now, down to Al's pet subject, and the reason for all this fiddlefaddle in the
first place. Endpoint security is the set of hardware, software, and procedures associated with
protecting the network from harm when an endpoint accesses network services. Endpoint
security also covers access to the endpoint device itself, sometimes known as "authentication."

The key aspect of endpoint security is that it involves both the device and the user. Endpoint
security, as promoted by the Trusted Computing Group, an industry association working on
security standards, requires that the user be verified as being who he or she says he or she is —
that is, by way of a password (something he or she knows), a biometric measurement
(something he or she is), or a token (something he or she has). In addition, the device must be
authenticated (i.e., through a compare of some metrics unique to that system). Finally, the state
or health of the device must be determined before it can be let on the privileged network. For
example, if a virus definition file is out of date, depending on policy, access is disallowed, the
requesting system is shunted to a restricted area for remediation (e.g., getting that virus definition
file topped off), or the machine is let on anyway.

Thus, endpoint security is concerned with verifying the user, the device, and the device state so as
to protect the network. Endpoint security will become progressively more important as more value
and more people migrate toward the Internet. In order for eCommerce to work, people and
assets need to be protected, and all participants need to have confidence that the system works.

Conclusion

The reason that I felt it necessary to define endpoint with greater precision is that understanding
the nature of the perimeter and the relationship between perimeter elements and the center is
going to become increasingly important to defending the growing value of Internet traffic. It is
highly conceivable that in the not-too-distant future, endpoints will be required to authenticate for
any transaction, and IT managers as well as individuals using Internet services will want to know
where the edge of the network really is. An endpoint will be the locus of trust certification.
Inasmuch as endpoint peripherals need to be taken into account, they will be part of the endpoint
profile (i.e., a query might ask whether a endpoint has an MP3 player attached to it, but the
presence of the player will be registered in the endpoint itself).

As form factors proliferate, the array of client devices that users will be able to choose from will
become nearly bewildering. But all of these devices will be endpoints that can be tested for
security, whether or not client-like peripherals are hanging off of them.