According to a recent survey by Flexjobs, 65 percent of pandemic-era remote workers want to continue working from home, and 58 percent say they would look for a new job if their company requires returning to the office.
That signals an important shift for enterprise IT and security teams that continue to scramble to support remote and work-from-home (WFH) initiatives created in response to the pandemic. Yet according to a recent Forrester report of IT and security decisions makers, 79 percent say the demand to support remote devices and other digital business requirements has outpaced their ability to keep up – despite that 68 percent also say cyberattacks against enterprises are more advanced today than prior to the pandemic.
Meanwhile, government entities like the National Institute of Standards and Technology (NIST) and the US Department of Defense have recognized the need to evolve cybersecurity from static, network-based perimeters to instead focus on users, assets and resources using the Zero Trust security model. Zero Trust eliminates implicit trust in any one device and requires continuous verification via real-time information fed from multiple sources to determine access.
Most IT and security teams currently apply conditional access control, which is a good step in Zero Trust. However, optimal Zero Trust maturity goes beyond and applies adaptive access control with device identity. Doing so effectively balances risk reduction and user productivity, while also strengthening security with more fine-grained context-aware policies.
Conditional vs. adaptive access control
Conditional access is an access control method wherein users receive access to corporate applications and data based on the fulfillment of certain conditions, including multifactor authentication (MFA). Many organizations have implemented MFA as part of a Zero Trust approach to users, which improves the overall security posture through strong user identity authentication.
However, this is only a small piece of the Zero Trust model. After MFA has been applied, the recommended next step is conditional access paired with the ability to enforce the use of a trusted device. But conditional access control is limited to either granting or blocking access based on a small set of conditions, including the condition of a compliant device. When a device is not compliant, access is usually blocked until the issue is mitigated, which negatively impacts user productivity.
Adaptive access control takes conditional access to the next level. In the Technology Overview for Adaptive Access Control, Gartner defines adaptive access as, “an instance of context-aware access control that acts to balance the level of trust against risk. It enables organizations to better address access-related risks, while improving user experience.”
Combine device identity with adaptive access control
Combining the rich context of device identity with adaptive access control enables governed access permissions in real-time based on the user and device context. For example, you can allow read-only access to services or prevent users connecting via non-compliant devices from downloading files. This provides an adaptive Zero Trust approach in a productive way that maintains business continuity with no disruption of access to the workforce.
Adaptive access control balances Zero Trust risk reduction with end-user productivity. Moreover, it provides remediation options for non-compliant devices, including self-service or automated options to mitigate issues without disrupting access to critical services.
Early adopters are applying the use of adaptive access control with device identity for Zero Trust user and device security. To see an example of how you can apply device identity and posture with adaptive access control, read the Netskope and Infinipoint joint solution brief or get in touch with us today.