For a long time, bring-your-own-device (BYOD) environments were seen as the antithesis of security in the workplace. This was largely because past security methods allowed them to fly under IT’s radar as rogue, unprotected, and unmanaged devices accessing corporate resources.
Now, Zero Trust security is becoming the new business standard for reliable security in a work-from-anywhere environment — and these environments are powered in part by mobile devices. How can Zero Trust account for personal devices that have become notorious security weak points in organizations?
This article will outline the security challenges that BYOD can pose in traditional security environments, how Zero Trust responds to these challenges, and what organizations need to keep BYOD environments secure within a Zero Trust architecture.
Why Device Security Is Still a Problem
BYOD environments have earned themselves a poor reputation for security because they’ve historically functioned in perimeter-based security environments. In these environments, the organization protects its resources by creating a firewall-based perimeter around the central network.
It verifies entry onto the network with checks like username/password combos to verify identity and IP addresses to verify devices, but that verification step generally occurs only once. Further, authenticating at the perimeter grants access to everything — so one successful breach would grant the bad actor access to the entire corporate network.
Additionally, passwords provide weak-at-best security, and IP addresses fall short when it comes to verifying individual mobile devices. And with cyber threats being as sophisticated as they are, most security experts recommend planning for when they happen, not if — allowing anyone to move freely inside the network once authenticated opens the door to lateral movement in case of a breach.
The problems with perimeter security multiplied as remote and hybrid-remote work became more popular. Remote work dissolved the perimeter by moving resources out of the on-premises “central network” and into the cloud; protections that formed a physical perimeter around the organization’s infrastructure, therefore, no longer sufficed.
Meanwhile, these decentralized networks saw an influx of mobile devices as users shifted from in-office setups to working from anywhere. The result was many unprotected and unmanaged devices accessing corporate resources that were already lacking sufficient security. Unmanaged devices accessing the corporate network create problems with:
If IT admins can’t see the devices on the network, they can’t monitor their activity to detect suspicious behavior, address security noncompliance, or remove unprotected devices from the network.
In general, lack of visibility into devices on the network prevents IT from getting a full view of the organization’s network and activity. This can create major blind spots.
Security compliance and enforcement
On unmanaged devices, IT admins can’t enforce security policies like passcode requirements, multi-factor authentication (MFA), antivirus protection, or software updates. This means that devices with significant vulnerabilities could be accessing corporate resources, creating exploitable attack vectors.
Intermingling personal and corporate data
Exposing corporate data to unapproved and unprotected resources could allow sensitive data to be tampered with or compromised. In addition to the dangers of connecting third-party applications and data with corporate resources, this can also cause compliance risks — especially when personal identifiable information (PII) is involved.
Lack of telemetry
Mobile devices that aren’t associated with the organization don’t provide IT with telemetry. This can obscure IT’s ability to investigate issues.
How Zero Trust Security Changed Device Security
Zero Trust security emerged in response to the perimeter security model’s inability to protect decentralized infrastructures, cloud-based technology, and mobile devices. It gained significant ground in the last few years as companies that had shifted to remote work models turned to Zero Trust for more effective security. Now, it’s considered the most effective way to secure a modern, work-from-anywhere environment.
“Zero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise owned network boundary.”— NIST SP 800-207
What Does Zero Trust Prescribe for BYOD Security?
Device security is an integral part of a successful Zero Trust security program: in Forrester’s Practical Guide to a Zero Trust Implementation, it names device security as one of the five main categories of Zero Trust.
Zero Trust security enforces the principle of least privilege (PLP) with secure authentication at every access transaction. Instead of applying security to only the outer perimeter of the network, Zero Trust does away with the concept of the perimeter and takes authentication from the perimeter level to the resource level. Zero Trust prescribes that every resource — including devices — must be properly authenticated before gaining access to corporate data.
Therefore, devices can be individually verified or denied. This gives IT greater control over BYOD environments, allowing them to set and enforce parameters around what it takes for a device to be allowed to access corporate resources. For example, Zero Trust environments can verify devices based on IP address, PKI certificate, and whether they meet health and security requirements.
In a Zero Trust environment, IT should be able to manage employee-owned devices in at least the following ways:
- See and monitor all devices accessing corporate resources.
- Isolate or remove devices from the network.
- Specify required configurations for devices to be able to access corporate resources. Examples of common configurations include requiring a passcode, enabling remote lock and wipe, and requiring the operating system (OS) to be up to date.
BYOD environments are best managed according to Zero Trust principles with a mobile device management (MDM) tool. MDM tools allow IT to manage the devices on their network — organizations with BYOD environments should look for MDM tools with optional enrollment policies that enable employees who want to use their personal devices to enroll them into the MDM program. This helps garner trust and maintain employee autonomy.
Similarly, the level of control the organization has over mobile devices depends on whether the device is corporate or employee-owned. If corporate-owned, organizations have more room to enforce comprehensive policies and restrictions, including disabling Siri, opting out of analytics and crash reporting, and preventing internet results within Spotlight search. If employee-owned, the organization should have limited control to protect employee privacy; however the MDM should still be able to perform basic device management functions on BYOD devices, like:
- Requiring a passcode.
- Adding web shortcuts to the home screen.
- Creating custom configuration for policies, applications, and profiles.
- Being able to lock and wipe the device remotely.
These measures significantly reduce the risk that employee-owned devices bring onto the network. Note that MDM tools are even more secure when combined with an identity and access management (IAM) tool, allowing user and device identities and policies to work in tandem for higher, more contextualized security.
Building Out Your Zero Trust Roadmap
Device management is one of five categories of a Zero Trust implementation. For a step-by-step look at securing the devices in your environment as well as implementing the other four categories of Zero Trust — identities, workloads, networks, and data — download Forrester’s Practical Guide to a Zero Trust Implementation.