Many businesses use credentials and some form of MFA to authenticate the user’s identity. Identity alone is not enough to safely grant access, device risk posture also needs to be assessed. A user’s identity can not inform the access granting party about the health of the device being used. A user may have unwittingly installed malware or their OS may not be patched. So, what is device risk posture and why does it matter?

Device security posture

The evaluation of the collective risk to confidential information is an organization’s risk posture. Taking into account collective risk is key as there are many different threat vectors and many small vulnerabilities that may culminate in a serious threat. Taking a lower risk posture means that the security requirements are higher, whereas a higher risk posture means the opposite.

Device risk posture focuses on the risks that an individual endpoint poses. There are many factors that should be considered before a device is enabled with access to corporate services. By definition, not taking these factors into account means taking a high risk approach and adopting a high risk posture.

The threat vectors a device can encounter can be split into four main categories:

  1. Device – The device and its operating system need to be understood; is the device running outdated firmware or has it been misconfigured in some manner that could allow a third party to compromise it? When you consider that 29.1% of iOS devices are running a severely out-of-date OS, companies can’t rely on employee diligence to ensure that their devices are compliant with security policy.
  2. App – The apps installed on a device are critical to posture; apps could be intentionally malicious and malware ridden, they could have been poorly coded and leak information unintentionally, and zero day vulnerabilities can be discovered in even legitimate apps.
  3. Content – The content the device is being used to access could increase the risk posture. If malicious websites, servers or domains are being accessed it is a sign that malware may be installed or data is being exfiltrated.
  4. Network – The network the device is using to connect to services is important, an unencrypted connection or a spoofed access point could result in confidential information being intercepted or altered in aMan-in-the-Middle attack.

Understanding adaptive access

At first glance some services like UEM or Cisco ISE appear to provide visibility of these threat vectors. However, these services lack true insight into the four threat categories described above, instead offering surface level visibility into easily evaded risk indicators, such as whether a device is jailbroken or not.

Comprehensive security capabilities are required to determine the risk posture of a device and whether or not a device should be granted access to corporate resources. The concept of taking contextual factors, including device risk posture, into account is known as adaptive access and is possible today by integrating Mobile Threat Defense solutions with a UEM.

The future of access

Zero Trust Network Access (ZTNA) takes adaptive access mechanisms to the next level by applying controls in the access layer rather than in the application layer, which UEM’s work in. This provides a number of security benefits including shielding applications from access attempts, effectively preventing untrusted parties even attempting to authenticate.

Classified by Gartner as the technology class that “replaces traditional technologies, which require companies to extend excessive trust to employees and partners to connect and collaborate”. Gartner expects 80% of new digital business applications opened up to ecosystem partners will be accessed through ZTNA.

BYOD challenges

“today’s bring-your-own-device (BYOD) world also mandates paying attention to the devices those users leverage for work and any operational technology (OT) or internet-of-things (ioT) devices on the network.” – Forrester

Understanding how a device is used and its risk posture increases in BYOD scenarios. In these cases the device is legitimately used for personal use outside of business hours, which may mean installing apps or visiting apps that would not be allowed on a corporate owned device.

“By 2025, more than 85% of successful attacks against modern enterprise user endpoints will exploit configuration and user errors” – Gartner

Rather than banning the use of BYOD, businesses can instead carry out non-invasive device risk assessments to determine the device risk posture. The device risk posture can then be used by a threat intelligence engine to determine whether or not access can safely be granted to the device.

Effective security

At Wandera we utilize a lightweight app to collect device telemetry, this data is securely transmitted to MI:RIAM, the industry’s most advanced mobile threat intelligence engine. MI:RIAM ingests contextual information and uses it to calculate the device risk posture that can be used to apply adaptive access policies. Rich privacy controls are available to ensure that the end user is protected in BYOD scenarios.

Wandera’s Threat Defense solution is an effective way of augmenting your security as a standalone security solution, or in parallel with a UEM to enable adaptive access policies. Wandera also offers simple roadmap options to help your business seamlessly move towards a Zero Trust Network Access model.

To learn more about remote access, BYOD enablement or Zero Trust Network Access and how they can help your organization please get in touch with one of our experts.