Enterprise IT and security teams are facing a classic Catch-22 conundrum. The global pandemic forced them to accelerate digitalization timelines in order to support remote and work-from-home (WFH) initiatives, in many cases without ramping up security to protect enterprise resources from compromised remote devices.
Meanwhile, cyberattackers continue to launch a digital pandemic of their own to get at enterprise resources, as evidenced by the 151 percent increase in ransomware attacks in the first half of 2021 Moreover, IT and security teams recognize that the situation isn’t going to improve, with 76 percent reporting they’ll have to increase remote access over the next two years, even as attackers launch more attacks to get at enterprise resources.
The situation has become so dire that the US federal government is pressuring its agencies to adopt the Zero Trust security model, which starts with the premise that no user or device is implicitly trusted and must be authenticated and authorized every time they request access to an IT resource. Many enterprises already have a Zero Trust strategy in place and have implemented baseline Zero Trust principals such as modern multi-factor authentication (MFA). However, the massive increase in remote device access paired with stratospheric increases in cyberattacks means enterprises need to ensure that their Zero Trust policies are robust enough to protect their resources. In addition, when it comes to Zero Trust maturity across user and device authentication, very few have applied principals such as conditional access, risk-based policies and continuous and adaptive authentication and authorization, according to the Okta report “The State of Zero Trust Security in Global Organizations.”
Status quo needs to go
For most enterprises today, the current approach to Zero Trust is to authenticate and authorize users and devices only at the “front door” when they first attempt to access enterprise resources. These device posture checks are instituted to ensure that devices are only allowed to connect to the network if they comply with a limited set of predefined corporate security policies.
The problem is that device posture checks only check against a small set of security parameters, and they don’t have a way to continuously validate that the device is secure after the session is initiated, and access is granted. Nor can such checks protect against legitimate users who authenticate from a new device that is not paired and associated with their user identity. And there is also no guarantee that the new device has adequate security controls implemented. As such, the reality is that device posture checks upon access simply aren’t enough to ensure Zero Trust device security.
Adding to the problem is the fact that device posture checks don’t do anything to enable users to remediate security issues and correct their security posture when issues are identified. They rely on IT operations and the helpdesk function to fix their issues, which negatively impacts user productivity, leaves their devices vulnerable, and strains already stretched IT resources.
According to Zero Trust guidelines from the National Institute of Standards and Technology (NIST), Zero Trust policies should include the following:
- Every device must have its security posture evaluated before gaining access to enterprise resources
- Zero Trust should continuously perform diagnostics and mitigation to monitor the state of devices and applications
- Patches and fixes should be applied as needed on devices
When considering those guidelines, it’s clear that enterprises should be leveraging device posture to achieve real-time continuous authorization for Zero Trust. This means that user authentication should be paired with device authentication, with device identity that includes checks on parameters such as endpoint protection, browser extensions, critical vulnerabilities, operating system security controls, and third party software such as VPN, SASE agents, certificates, and more.
Moreover, authentication and authorization is not a one-time check but should be done continuously. This is necessary because sessions can last anywhere from minutes to days, meaning the security posture and device identity can change within a single session. Only by continuously reauthenticating each device against the security policy can enterprises ensure compliance.
While these new policies might seem daunting, the reality is that Zero Trust principles and controls can be applied to devices without disrupting user access or business continuity. For more on how to do so, get in touch with us today and request a demo.