Types of Endpoints: Devices, Systems, and Assets Requiring Protection

Endpoints represent every device, system, or asset that connects to a network and can be exploited as an entry point for unauthorized access, data exfiltration, or operational disruption. The scope of what qualifies as an endpoint has expanded significantly beyond traditional desktop computers to encompass mobile devices, cloud workloads, operational technology, and internet-connected sensors. Understanding the classification of endpoints is foundational to deploying appropriate controls, meeting compliance obligations, and accurately scoping organizational attack surfaces. This reference describes the major endpoint categories, how protection mechanisms apply across them, and the decision criteria used to assign coverage tiers.

Definition and Scope

An endpoint, as used in cybersecurity frameworks, is any device or logical system that terminates a communication channel with a network — whether that network is an enterprise LAN, a cloud environment, or an industrial control system. NIST SP 800-190 extends this concept to container instances and virtual machines, while NIST SP 800-124 specifically addresses mobile devices as a distinct endpoint class requiring separate management policies.

Regulatory frameworks further shape the scope. Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (45 CFR §164.312), covered entities must implement controls on workstations and electronic media — both qualifying as endpoints. The Federal Information Security Modernization Act (FISMA), administered by NIST and the Cybersecurity and Infrastructure Security Agency (CISA), requires federal agencies to inventory and protect all information system components, including endpoints, under NIST SP 800-53.

The full endpoint taxonomy recognized by security architects includes:

1. User endpoints — desktops, laptops, and workstations running general-purpose operating systems
2. Mobile endpoints — smartphones, tablets, and ruggedized handhelds
3. Servers — physical and virtual machines hosting applications, databases, and services
4. Cloud workloads — virtual machines, containers, and serverless functions in IaaS/PaaS environments
5. Operational technology (OT) and industrial control systems — programmable logic controllers (PLCs), SCADA terminals, and human-machine interfaces (HMIs)
6. IoT and embedded devices — sensors, cameras, building automation controllers, and medical devices
7. Network infrastructure devices — routers, switches, and firewalls when acting as managed endpoints
8. Virtual desktops and thin clients — persistent or non-persistent desktop images in VDI environments

For a structured overview of how these categories fit into the broader protection model, see Endpoint Security Defined.

How It Works

Protection mechanisms differ substantially across endpoint types, reflecting differences in operating system support, update cadence, network connectivity, and processing capacity.

User and server endpoints support full agent-based security stacks — including endpoint detection and response (EDR), antivirus engines, host-based firewalls, and data loss prevention clients. These devices run standard operating systems (Windows, macOS, Linux) with defined patch cycles. Windows Endpoint Security and Mac and Linux Endpoint Security address platform-specific control differences.

Mobile endpoints are governed through mobile device management (MDM) or unified endpoint management (UEM) platforms. NIST SP 800-124 Rev. 2 defines a three-phase deployment model: device enrollment, configuration enforcement, and ongoing monitoring. Agent-based EDR is supported on iOS and Android in enterprise configurations, though with reduced telemetry depth compared to desktop agents.

Cloud workloads shift the protection model toward cloud workload protection platforms (CWPPs), which apply runtime monitoring to containers and VMs. Cloud Workload Endpoint Security details the divergence from traditional endpoint protection platforms.

OT and ICS endpoints often cannot run software agents due to real-time processing constraints, legacy operating systems, and vendor certification requirements. Protection in these environments relies on network-level monitoring, asset inventory, and compensating controls. CISA's ICS-CERT advisories and the ISA/IEC 62443 standard govern security requirements for these assets. The Operational Technology Endpoint Security reference covers this sector in detail.

IoT devices present the narrowest security surface for agent deployment. Devices frequently run embedded firmware with no general-purpose OS, making network segmentation and firmware integrity verification the primary controls. IoT Endpoint Security addresses discovery, segmentation, and monitoring approaches specific to this class.

Common Scenarios

Endpoint type determines how an organization responds to incidents and which compliance frameworks apply:

• A healthcare provider managing 400 clinical workstations must satisfy HIPAA workstation security controls under 45 CFR §164.310(b) while also managing medical IoT devices — two distinct endpoint classes with different control requirements. See Endpoint Security for Healthcare.
• A federal contractor operating under CMMC Level 2 must inventory and protect all endpoints that process Controlled Unclassified Information (CUI), including remote work devices and any cloud workloads — per NIST SP 800-171.
• An energy utility subject to NERC CIP standards must separately classify IT endpoints (office systems) from OT endpoints (SCADA terminals) and apply different baseline security requirements to each. See Endpoint Security for Critical Infrastructure.
• A financial services firm regulated under the SEC's Regulation S-P and the FFIEC Cybersecurity Assessment Tool must maintain endpoint controls across trading workstations, mobile banking systems, and third-party vendor access points. See Endpoint Security for Financial Services.

Decision Boundaries

Classifying an asset as a specific endpoint type determines the applicable control framework, the toolset deployed, and the compliance audit trail required. Three primary decision axes apply:

Operating system support: Assets running a supported general-purpose OS (Windows, macOS, Linux) qualify for full-agent deployment. Assets running embedded firmware, real-time OS (RTOS), or vendor-locked systems require agentless or network-based controls.

Network connectivity model: Always-on, LAN-connected endpoints support continuous telemetry to a security operations center. Intermittently connected endpoints (remote laptops, field devices) require offline protection modes and store-and-forward telemetry. Remote Work Endpoint Security and BYOD Endpoint Security Policy address connectivity-driven policy divergence.

Regulatory classification: Endpoints that store, process, or transmit regulated data (PHI, CUI, PCI cardholder data) require controls mapped to the governing standard. Endpoints with no regulated data still require baseline controls under frameworks such as CIS Controls v8 (CIS Benchmarks for Endpoints) or NIST SP 800-53 for federal systems.

The intersection of these three axes produces the control tier assigned to each asset class, which in turn drives procurement decisions, monitoring depth, and incident response procedures. The Endpoint Threat Landscape reference provides context on how threat actors target specific endpoint categories based on these same classification factors.

References

• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
• NIST SP 800-124 Rev. 2 — Guidelines for Managing the Security of Mobile Devices
• NIST SP 800-171 Rev. 2 — Protecting CUI in Nonfederal Systems
• NIST SP 800-190 — Application Container Security Guide
• CISA ICS-CERT Advisories
• HIPAA Security Rule — 45 CFR §164.312, eCFR
• ISA/IEC 62443 Industrial Cybersecurity Standards — ISA