The mobility and security can pull enterprises in different directions; end users want to be empowered to use their own devices and work from wherever they choose, while security teams need to protect the ever expanding amount of business critical data. This blog series explores the challenges of enabling BYOD devices without putting enterprise data at risk. In Part 1: Zero Trust Network Access, we start with the trend of enabling endpoints that are not on the corporate network.

Security teams can no longer trust that only corporate owned and managed devices are being used to access critical business applications over the corporate network. Predictions estimate that 73% of all departments will have remote workers by 2028, but recent public health events have accelerated this trend. A recent Gartner survey revealed that 74% of CFOs and Finance leaders plan to move part of their previously on-site workforce to permanently remote positions. Additionally, Surveys reveal that 77% of employees use their personal phones when working regardless of whether there is a BYOD policy or not.

It’s quite easy to come up with a list of common remote working BYOD scenarios:

  • An HR manager may need to make changes to a personnel file from their personal laptop.
  • A member of DevOps team may need to configure the product platform from their home office.
  • A sales person may need to review customer details from the CRM from their phone.

In these scenarios, important systems can be exposed to any number of risks including the device that is being used running an out of date insecure OS or leaky/risky apps running on the device that expose corporate data, as well as man in the middle attacks and a whole host of other threats.

To enforce some form of security on remote workers, many organizations utilized VPN as a remote access tool to connect endpoints to the corporate services. Although employing end-to-end encryption, and potentially even MFA, this approach fails in two key ways:
It does not mitigate any of the device, application or content risks described above.
Many businesses increasingly use cloud apps instead of hosting applications on the corporate network.

A modern approach is to use a Zero Trust Network Access (ZTNA) architecture to securely connect any endpoint to any enterprise application. ZTNA utilizes adaptive access principles to incorporate risk factors into a decision making engine that calculates whether or not to allow an endpoint to connect to an application.

The more information that is known about an access request the more informed the decision to allow the request can be. Two of the most important factors in this decision are the user’s identity and device health. Identity defines what corporate systems the user can have access to, with the use of multifactor authentication (MFA) and single sign-on (SSO) there is assurance that the user is who they claim to be. Device health is as important; users may have unknowingly installed malware or their OS may not be patched. Mobile Threat Defense (MTD) services can be used to monitor devices for vulnerabilities, from escalated privileges to outdated OSs and perform continuous app risk assessments for advanced detection of malware and risky applications.

Other factors should be used to decide whether to accept an access request, these can include contextual elements including location, time of access request and device type. This telemetry information can be brought together by an advanced analytics engine to determine the risk, and whether or not to trust that the request is legitimate. Utilizing adaptive access policies is a core part of ZTNA architecture and enabling secure access for your remote workers.

Building a ZTNA architecture in the cloud and integrating it into an endpoint’s access layer means that connectivity to any application can be supported, whether it is publicly or privately hosted. Delivering functionality from the cloud offers many other advantages, such as eliminating the need for trunking traffic to data centres, and simple, cheap management of the service.

The Wandera Security Cloud redefines enterprise access and establishes a zero-trust approach to securing remote access. The Wandera app silently monitors risk factors and reports them to MI:RIAM, the industry’s first AI threat intelligence engine, which calculates whether or not it is safe to enable access; all based on your bespoke enterprise access policies.

To learn more about Zero Trust Network Access, the Wandera Security Cloud or MI:RIAM and how they can help your businesses please get in touch with one of our experts.