Zero Trust Network Access: Bringing trust to BYOD and remote work
Productivity and security can pull enterprises in different directions. Especially in the age of remote work when IT decisions are largely being dictated by the needs of a dispersed workforce. Let’s not forget, that remote work isn’t about an employee in a satellite office equipped with on-premise security infrastructure.
Remote work is about end users who work whenever, wherever, and from any device they choose. While this model has great productivity benefits, it’s placing IT and security teams on the backfoot and forcing them to protect business critical data in more places than ever before.
The acceleration of remote work and BYOD
Predictions estimate that 73 percent of all departments will have remote workers by 2028, but recent public health events have accelerated this trend. COVID-19 has shown that there is no supply chain to get secured devices and secure connectivity deployed to end users overnight. Any organization that wasn’t already enabling BYOD or remote access to corporate resources, was immediately suffering productivity losses.
A recent Gartner survey revealed that 74 percent of CFOs and Finance leaders plan to move part of their previously on-site workforce to permanently remote positions. Additionally, surveys reveal that 77 percent of employees use their personal phones when working regardless of whether there is a BYOD policy or not.
It’s quite easy to come up with a list of scenarios in which remote workers might need to use personal devices to be productive:
- An HR manager may need to make changes to a personnel file from their personal laptop.
- A member of the DevOps team may need to configure the product platform from their home office.
- A sales person may need to review customer details from the CRM from their phone on the way to a meeting.
In these scenarios, important systems can be exposed to any number of risks. For example, the device accessing the systems might be running an out-of-date and vulnerable operating system, or it might have a dangerous app installed that could be exfiltrating corporate data, or a man-in-the-middle attack on public Wi-Fi might expose sensitive data in transit.
How to trust previously untrusted devices
To enforce some form of security on remote workers, many organizations utilized VPN as a remote access tool to connect endpoints to corporate services. Although, this approach fails in two key ways. First, it does not mitigate any of the device, application or content risks described above. Second, many businesses increasingly use cloud apps instead of hosting applications on the corporate network.
The more information that is known about an access request, the more informed the decision to allow the request can be. A modern approach is to use a Zero Trust Network Access (ZTNA) architecture to securely connect endpoints to enterprise applications. ZTNA uses adaptive access principles which go beyond simple user identification to incorporate various risk assessments into the decision flow when an endpoint requests access to a corporate resource.
Two of the most important factors in this decision are the user’s identity and device health (or security status). Identity defines what corporate systems the user can have access to. Multi-factor authentication (MFA) and single sign-on (SSO) offer the assurance that the user is who they claim to be. When considering device health, Mobile Threat Defense (MTD) services can be used to monitor devices for vulnerabilities, from escalated privileges to outdated OSs and perform ongoing app risk assessments to detect the installation of malware or unwanted applications. Other contextual elements including location, time of access request and device type should be used to decide whether an access request should be approved.
Utilizing adaptive access policies is a core part of ZTNA architecture and enabling secure access for your remote workers, regardless of which device they are working on.
Michael Covington is vice president of product at Wandera. He previously held leadership roles performing security research and overseeing product development at Intel Labs, Cisco Security and Juniper Networks. Dr. Covington is a hands-on innovator and has broad experience across the entire product life cycle, from planning R&D to executing on product strategy. With a diverse background as a seasoned computer science researcher, an IT professional, and an effective product manager, Michael has experienced technology from all sides, and enjoys bringing new innovations to market, specifically in the areas of security and privacy.