Zero-trust is the vogue term for the security industry with seemingly every company repositioning accordingly, but, for good reason. In a mobile-first world with personal devices being used for work, companies need to reconsider their approach to security.
We previously produced a primer on zero-trust security, discussing the general premise and technologies involved. Our VP of product Strategy Michael Covington spoke to Dan Woods from Early Adopter Research (a site focused on building product-based platforms to solve high-value problems) to explain why zero-trust is so important in delivering the next phase of mobile security, especially when it comes to BYOD environments. Here are the conversation highlights:
Extending security outside the perimeter
Mobility is not new, but it is one of the first trends that lead to a change in the perimeter. IT was tasked with securing devices that left that corporate space but still needed to access corporate resources. There was also the introduction of cloud-hosted applications that weren’t developed in-house and that are also leaving the perimeter.
IT teams now need to enable these people who are no longer within this trusted space to access applications that are also not in that trusted space, and they need to do so with some kind of security assurances.
I think the concept of zero-trust is the industry’s way of saying to the customer, ‘you made some decisions to enable BYOD, you need people to access sensitive data, how are you going to do it?’ We need to give businesses some tools in order to enable them to start building trust back up. Because right now they don’t have any.Michael Covington, VP of Product Strategy, Wandera.
Enabling BYOD with less risk
We saw a trend about five to ten years ago when businesses were making decisions about supporting devices that leave the perimeter, for example, which ones should be purchased for that purpose? BYOD seemed to be the obvious choice; the end user would buy their own device, they would manage that device themselves, and they would be able to access sensitive corporate resources.
The need to allow a device that was completely unmanaged and unprotected by the enterprise to have access to sensitive corporate resources was game-changing for the way IT was delivered and is still delivered today. We’ve seen certain device ownership models come out, new platforms from Apple and Android, improved VPN technology, and new ways of accessing content online. There will always be risk but all these new initiatives improve the security of BYOD ownership models.
Security moves from user burden to user freedom
In many cases, IT policy requires users to change their passwords frequently and therefore they choose weaker passwords by default because they need to remember a new password on a more frequent cadence. Zero-trust can remove that pressure on the end user to make security-conscious decisions while using their BYOD devices. Zero-trust is really meant to provide the company with more security assurances while unburdening the user.
People are the perimeter, so much of the de facto security of a company comes from having people who are making good decisions when they’re using computers.Dan Woods, Early Adopter Research
You don’t have to choose between security and privacy—have both
We already know that mobile data consumption is doubling year-over-year. The average number of devices that employees have in hand right now is around three. As consumerization and IoT adoption grow, this number will increase. Think about all those devices generating data at very high speeds and consuming it 24/7.
We are at a point now where the traditional approach of security has not been able, or will not be able to keep up with monitoring all of this traffic for threats. Security used to be about scanning everything. Businesses would invest in firewalls or secure web gateways that would sit at the perimeter edge, and they would look at every last data transaction that would go back and forth to the internet.
If we think about zero-trust, dynamic mobile risk assessments and the use of policy enforcement to power continuous conditional access, we might be at a place where we – in the security industry – can actually make smarter decisions about what we do scan, rather than scanning everything.
As we look to mobile devices in particular, where privacy has become a really big theme, where we see the separation of the consumer side and the business side of the device, you can’t live in a world where you can scan all the traffic anymore.Michael Covington, VP of Product Strategy, Wandera
2:40 – What is zero-trust security?
9:10 – The need for visibility in a BYOD environment
14:10 – Should CISOs focus on operational discipline?
17:30 – How to improve the people side of security
20:45 – Is cybersecurity insurance necessary?