The concept of Zero Trust has received significant support from many security professionals over the last decade, but have we realized meaningful benefits from the strategy in the Fortune 500 space? Perhaps not fully, and that’s because Zero Trust is not so much a new tool or an application, or even a suite that can be easily deployed.
It's a methodology for approaching security architecture that introduces a unique way of handling nearly every aspect of business operations. It starts with a mindset change that forces every enterprise activity to be re-examined through a Zero Trust lens, and the benefits are multi-fold.
Zero Trust and the New Normal
Due to the impact of the COVID-19 crisis, many enterprises have been forced to shift operations to support a workforce that is far more mobile and distributed than ever before. Think of the last time that your enterprise opened a new corporate office: how much planning and prep was involved? How many RFPs were issued and evaluated? How many security considerations were required to do it effectively? How much time did it all take? Now compare that effort to how swiftly the shift to work-from-home (WFH) needed to happen due to COVID-19 and it is clear how many security holes and communications nightmares had to be overcome in short order.
While the emergency mechanisms forced in place by enterprises in response to COVID-19 may begin to meaningfully dissipate over the coming months, more widespread telecommuting as the “new normal” is likely here to stay. It may not remain at the unusually elevated levels as during the height of the pandemic, but it will almost assuredly be far beyond the occasional level that was previously the norm. The measurable increase in efficiency and productivity, along with increased job satisfaction and cost-savings, may prove to be significant motivators for many organizations.
This shift to a more permanent remote workforce forces enterprises to get serious about what once was an edge case that has now become a primary use case. How do CISOs secure so many new endpoints outside the corporate firewall? How do they effectively manage security policy across a blend of corporate and BYO devices? How can they assure security while not creating obstacles to worker productivity and the continuity of critical business functions?
Given the shift to remote work was so immediate due to COVID-19, most enterprises have typically taken one of two paths: path one is that they cut off access to the network and sensitive data until proper security controls could be put in place. Path two is that enterprises relaxed security controls significantly in order to guarantee that everyone who needed access to the network and data had it as soon as possible. Path two was pragmatic and likely far more common given the need for business continuity, and path one was the only option if an enterprise was focused on security over all else.
Zero Trust requires that no device or user is automatically trusted, including users inside the network perimeter. Every user, device and network are assumed to be hostile. With a Zero Trust approach, no user can access anything until they prove who they are and that they are authorized. But this approach can introduce a conflict with what the experience users desire – instant access to resources – which was only amplified with the rapid shift to remote work.
It also creates friction for security teams who were suddenly faced with a new set of potential risk factors. Managing devices that your enterprise owns is relatively easy, but how does your system deal with unmanaged devices? For example, they may never have had to worry about detecting rooted or jailbroken phones trying to connect to the network or had a need to be able to wipe sensitive enterprise data from an employee-owned device. Should cut-and-paste functionality be blocked? What about printing, or options that allow documents to be saved as a PDF locally? These are just a few examples of the challenges.
With this in mind, the following are some specific attributes an organization should look for in a solution to facilitate a Zero Trust approach for the enterprise:
Endpoint protection may seem obvious, but the term means something different today than just a few years ago. The argument that the security perimeter no longer exists for enterprises is not quite true. It's more accurate to say that the perimeter has become far more amorphous and distributed, which means it's more difficult to pinpoint every specific endpoint that needs to be protected.
For most organizations, mobile device management capabilities are still playing catch-up with regard to BYO, and the massive increase in mobile access following COVID-19 telecommuting further complicates the challenges. One could argue that enterprise endpoints today have become so numerous that standard perimeter defenses no longer make much sense.
An AI-based endpoint security solution that offers a range of automated responses can scale rapidly to address the expanding perimeter. Combined with an AI-enabled Endpoint Detection and Response (EDR) capability, the reduction in risk for organizations will significantly move them towards the goal of a robust Zero Trust architecture.
Alternative to VPN
According to a recent study, Advanced Persistent Threats (APTs) actors continue to focus on attacking VPNs in order to gain a foothold on the networks of targeted organizations. The unfortunate reality is that VPNs are not as secure as most organizations and individuals believe they are. In fact, a variety of studies report numerous security flaws within VPNs that make an organization and its remote workforce vulnerable to cyberattacks.
While VPNs are a convenient and easy way for employees to connect to their organization’s IT network, the drawbacks and limitations of this technology are quickly becoming more apparent as demand and usage skyrocket out of necessity.
Organizations implementing Zero Trust should consider more reliable alternatives, such as using a secure web gateway. A secure web gateway is a viable alternate solution to VPNs because it can provide secure access from anywhere to any application, desktop tool, or file on a corporate network. Remote workers can use managed or personal devices to access behind-the-firewall content without sacrificing the performance they enjoy when working in a traditional corporate-owned and managed environment.
These browser-based, containerized solutions also offer secure and auditable aggregation of enterprise assets in a single virtual desktop environment and provide access to all enterprise apps, tools, and files, even when working offline in the case of intermittent connectivity. They also provide turnkey access management to quickly onboard or offboard users and provision endpoints more easily than VPNs, and are a critical aspect of a sound Unified Endpoint Management (UEM) solution.
Identifying the user through password credentials is quite different than continuous authentication where a user is repeatedly validated based on what they do, how they do it, and using analytics to note if a behavior is potentially problematic. Continuous authentication does all of the above and more. Access control is a critical component of basic security and continuous authentication sharply “ups” the security game for a Zero Trust approach. It needs to include biometric as well as temporal and contextual analysis, and the analytics need to be enhanced by AI.
Can your system detect when the authorized device at the last known location as the authenticated user is now being used by an unauthorized user? This is where continuous authentication's power is demonstrated: very subtle changes in the user behavior are detected and the authorized session is terminated almost immediately, forcing reauthentication before any damage can be done. This dynamic policy adaption on the fly is essential in a Zero Trust environment.
UEM and UES for Zero Trust
BlackBerry recently announced the availability of BlackBerry Spark® Suites. BlackBerry Spark Suites combine the best of endpoint security and management capabilities powered by artificial intelligence automation, and include the following options:
The BlackBerry Spark UES® Suite delivers a full set of endpoint security capabilities, including AI-driven user and entity behavior analytics, next-generation Mobile Threat Defense, Endpoint Protection, as well as Endpoint Detection and Response. Data Loss Prevention and a Secure Internet Gateway will be added to this suite in the near future.
The BlackBerry Spark® UEM Suite provides a highly secure way to manage and secure devices and applications, including secure interoperability with Microsoft® Office 365® mobile apps. It also offers a full set of endpoint management capabilities, Digital Rights Management, Identity and Access Management, SDK/custom apps, multi-channel notifications and regulated controls. A streamlined option of this offering is also available in the BlackBerry Spark® UEM Express Suite.
For the most comprehensive solution, the BlackBerry Spark® Suite provides a one-stop-shop and the gold standard that includes features of the BlackBerry Spark UES Suite and BlackBerry Spark UEM Suite. It’s built to enable a Zero Trust security environment and is focused on earning trust across any endpoint and continuously validating that trust at every event or transaction.
A convenient side-by-side comparison of all of the BlackBerry Spark Suites can be found here. For more information on the BlackBerry Spark Suites and the advantages of a Zero Trust, zero touch security model, please contact us.