{"id":60234,"date":"2022-03-11T11:00:00","date_gmt":"2022-03-11T16:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=60234"},"modified":"2024-10-15T19:26:56","modified_gmt":"2024-10-15T23:26:56","slug":"byod-zero-trust-security-strategy","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/byod-zero-trust-security-strategy","title":{"rendered":"Does BYOD Fit Into a Zero Trust Security Strategy?"},"content":{"rendered":"\n

For a long time, bring-your-own-device (BYOD)<\/a> environments were seen as the antithesis of security in the workplace. This was largely because past security methods allowed them to fly under IT\u2019s radar as rogue, unprotected, and unmanaged BYOD devices accessing corporate resources.<\/p>\n\n\n\n

Now, Zero Trust security<\/a> is becoming the new business standard for reliable security in a work-from-anywhere environment \u2014 and these environments are powered in part by mobile devices. How can Zero Trust account for personal devices that have become notorious security weak points in organizations? <\/p>\n\n\n\n

This article will outline the security challenges that BYOD can pose in traditional security environments, how Zero Trust responds to these challenges, and what organizations need to keep BYOD environments secure within a Zero Trust architecture.<\/p>\n\n\n\n

Why Device Security Is Still a Problem<\/strong><\/h2>\n\n\n\n

BYOD environments have earned themselves a poor reputation for security because they\u2019ve historically functioned in perimeter-based security environments. In these environments, the organization protects its resources by creating a firewall-based perimeter around the central network.<\/p>\n\n\n\n

It verifies entry onto the network with checks like username\/password combos to verify identity and IP addresses to verify devices, but that verification step generally occurs only once. Further, authenticating at the perimeter grants access to everything<\/em> \u2014 so one successful breach would grant the bad actor access to the entire corporate network. <\/p>\n\n\n\n

Additionally, passwords provide weak-at-best security<\/a>, and IP addresses fall short when it comes to verifying individual mobile devices. And with cyber threats being as sophisticated as they are, most security experts recommend planning for when <\/em>they happen, not if <\/em>\u2014 allowing anyone to move freely inside the network once authenticated opens the door to lateral movement in case of a breach. <\/p>\n\n\n\n

The problems with perimeter security multiplied as remote and hybrid-remote work became more popular. Remote work dissolved the perimeter by moving resources out of the on-premises \u201ccentral network\u201d and into the cloud; protections that formed a physical perimeter around the organization\u2019s infrastructure, therefore, no longer sufficed. <\/p>\n\n\n\n

Meanwhile, these decentralized networks saw an influx of mobile devices as users shifted from in-office setups to working from anywhere. The result was many unprotected and unmanaged BYOD devices accessing corporate resources that were already lacking sufficient security. Unmanaged BYOD devices accessing the corporate network create problems with:<\/p>\n\n\n\n

Visibility<\/strong> <\/h3>\n\n\n\n

If IT admins can\u2019t see the devices on the network, they can\u2019t monitor their activity to detect suspicious behavior, address security noncompliance, or remove unprotected devices from the network. <\/p>\n\n\n\n

In general, lack of visibility into devices on the network prevents IT from getting a full view of the organization\u2019s network and activity. This can create major blind spots. <\/p>\n\n\n\n

Security compliance and enforcement<\/strong><\/h3>\n\n\n\n

On unmanaged BYOD devices, IT admins can\u2019t enforce security policies like passcode requirements, multi-factor authentication<\/a> (MFA), antivirus protection, or software updates. This means that devices with significant vulnerabilities could be accessing corporate resources, creating exploitable attack vectors.<\/p>\n\n\n\n

Intermingling personal and corporate data<\/strong><\/h3>\n\n\n\n

Exposing corporate data to unapproved and unprotected resources could allow sensitive data to be tampered with or compromised. In addition to the dangers of connecting third-party applications and data with corporate resources, this can also cause compliance risks \u2014 especially when personal identifiable information (PII) is involved.<\/p>\n\n\n\n

Lack of telemetry <\/strong><\/h2>\n\n\n\n

Mobile devices that aren\u2019t associated with the organization don\u2019t provide IT with telemetry. This can obscure IT\u2019s ability to investigate issues.<\/p>\n\n\n\n

How Zero Trust Security Changed Device Security<\/strong><\/h2>\n\n\n\n

Zero Trust security emerged in response to the perimeter security model\u2019s inability to protect decentralized infrastructures, cloud-based technology, and mobile devices. It gained significant ground in the last few years as companies that had shifted to remote work models turned to Zero Trust for more effective security. Now, it\u2019s considered the most effective way to secure a modern, work-from-anywhere environment. <\/p>\n\n\n\n

\u201cZero trust is a response to enterprise network trends that include remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise owned network boundary.\u201d<\/p>\u2014 NIST SP 800-207<\/a><\/cite><\/blockquote>\n\n\n\n

What Does Zero Trust Prescribe for BYOD Security?<\/strong><\/h2>\n\n\n\n

Device security is an integral part of a successful Zero Trust security program: in Forrester\u2019s Practical Guide to a Zero Trust Implementation<\/a>, it names device security as one of the five main categories of Zero Trust. <\/p>\n\n\n\n

Zero Trust security enforces the principle of least privilege (PLP) with secure authentication at every access transaction. Instead of applying security to only the outer perimeter of the network, Zero Trust does away with the concept of the perimeter and takes authentication from the perimeter level to the resource level. Zero Trust prescribes that every resource \u2014 including devices \u2014 must be properly authenticated before gaining access to corporate data. <\/p>\n\n\n\n

Therefore, devices can be individually verified or denied. This gives IT greater control over BYOD environments, allowing them to set and enforce parameters around what it takes for a device to be allowed to access corporate resources. For example, Zero Trust environments can verify devices based on IP address, PKI certificate, and whether they meet health and security requirements.<\/p>\n\n\n\n

In a Zero Trust mobile environment, IT should be able to manage employee-owned devices in at least the following ways:<\/p>\n\n\n\n