Implementing a mobile-centric zero trust security framework
How organisations can enable secure access to the enterprise in the era of mobile working.
There is no question that mobile has invaded the enterprise. Along with cloud services, mobile devices have transformed the modern working environment, providing huge gains to both employees and businesses alike. However, with these gains come challenges, and the biggest challenge is secure access to enterprise data from any device and application.
The adoption of cloud and the proliferation of mobile devices has dissolved the traditional network perimeter and introduced countless new threat vectors that traditional security measures are unable to protect against. In order to stay safe in the contemporary perimeter-less working environment, while maintaining high levels of employee productivity, businesses must reinvent their entire security architecture to centre on the technology and the way employees want to work.
The problem
A 2018 study looking into the state of enterprise mobility found that 75 per cent of IT decision makers said mobile devices are essential to their workflow, while also finding that 80% said their employees can’t do their jobs effectively without a mobile phone. At the same time, recent figures have revealed mobile working is the greatest security risk to enterprises. For instance, Verizon's recent Mobile Security Index found that 83 per cent of CIOs believed their organisation was under threat from mobile threats, while 68 per cent said they believed mobile threats had increased in the last year, and 58 per cent agreed that mobile threats are growing faster than any other threat vector.
As businesses support the wide spread use of mobile and cloud apps they realise the traditional perimeter security approach is no longer sufficient. Today’s modern enterprise needs a robust device security and access management approach - and this means implementing a mobile-centric zero-trust framework.
What is zero trust?
‘Zero Trust’ is a security concept based on the belief that bad actors are already operating inside your organisation, and as such a “never trust, always verify” approach is needed. You can no longer rely on traditional security perimeter approaches like firewall, networks and gateway’s because your traffic is no longer always inside the perimeter. The best zero trust solutions verify a wide range of signals including a known device, verifying the app and user, checking the status of the network and identifying and threats prior to granting access to the app and corporate data.
Why mobile-centric zero trust?
There are multiple approaches to zero trust, but the main ones are focused on identity, gateway and the device. However, as the tide of mobile and cloud continues to intensify, the limitations of gateway and identity-centric approaches become more apparent. For instance:
- Identity-centric approaches - provide limited visibility on device, app and threats, while also still relying on passwords; one of the main causes of a data breach.
- Gateway-centric approach - limited visibility on device, apps and threats, while also assuming that all enterprise traffic goes through the enterprise network when in reality 25 per cent of enterprise traffic doesn’t go through their network.
Only a mobile-centric zero trust approach addresses the security challenges of the perimeter-less modern enterprise while allowing the agility and anytime access that business needs. Mobile-centric zero trust seeks to verify more attributes than both these approaches before granting access. It validates the device, establishes user context, checks app authorisation, verifies the network, and detects and remediates threats before granting secure access to any device or user.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Implementing a mobile-centric zero trust approach
In order to build a secure mobile-centric zero trust approach there are four steps for enterprises to follow:
- Provision - The first step towards implementing a successful mobile-centric zero-trust approach is provision; that is to ensure that every user has a device ready with the appropriate apps, profiles and policies. In order to build a secure foundation for this to work you must enrol your devices in a unified endpoint management (UEM) solution, so IT can both protect the business data resident on the device and enforce context-driven access policies.
- Access - Access requirement must take everything into context, ensuring they verify the user, the posture of the device, check the app is authorised, verify the network type, check for threats, and a variety of other signals. This adaptive access control check is the basis of the zero-trust model.
- Enforce - Stringent security policies must be enforced, with ongoing monitoring to ensure that any change in signals will trigger adaptive policies to mitigate threats, quarantine devices, and maintain compliance.
- Protect - Deploy the appropriate security software to mitigate and remediate threats as and when they occur.
Ultimately, the aim of zero trust framework is to protect data across an increasingly fragmented information fabric. With modern work taking place in the cloud and on mobile-devices, it is essential that enterprises utilise a security framework that centres on the mobile. Implementing a mobile-centric zero trust framework will not just provide the right-level of security across all points of access, but will also provide the most seamless user experience, ensuring employee productivity is maintained.
Rhonda Shantz, Chief Marketing Officer, MobileIron
You might want to check out our picks for the best business VPN.