Feb 01 2023

Best Practices for Deploying Zero Trust In Your Mobile Environment

The Cybersecurity and Infrastructure Security Agency’s advice is worth heeding

Mobile devices are everywhere, and so are the cybercriminals bent on exploiting them. The good news? The mobile security market is rapidly developing technologies and approaches designed to counteract hackers.  

Among these, the concept of the zero-trust security framework is gaining popularity because it recognizes that threats can come from both inside and outside of the organization. However, zero trust can be difficult to reconcile with evolving mobile security approaches. Fortunately, the Cybersecurity and Infrastructure Security Agency has published a draft of its guidance, “Applying Zero Trust Principles to Enterprise Mobility,” which spells out how organizations can map mobile security to CISA’s Zero Trust Maturity Model 

It’s important for IT professionals, especially those responsible for cybersecurity, to understand why the federal government’s guidance is important in this case, and what specific things they should be doing in response.  

 

Click the banner to learn more about the benefits of a zero-trust security strategy.

 

Why Zero Trust Is The Right Approach

First, a few words about zero trust: It’s a model that recognizes that a simple, one-time authentication and authorization process is not sufficient because changes in user behavior, location and the like can radically impact access decisions. Zero trust enforces minimal access to resources, requiring continuous security monitoring, risk-based access control, and continuous authentication and authorization based on real-time information.  

In short, more than any other approach, zero trust protects data in real time even as the threat environment evolves.  

For a business, zero trust can help address the growing number of advanced persistent cyberattacks that target mobile devices. In fact, 60 percent of respondents to the 2022 Verizon Mobile Security Index consider mobile devices to be their organization’s biggest security risk. Zero trust can enhance protections for mobile devices, and the CISA guidance covers both active techniques for the mobile environment and ways to take advantage of the built-in capabilities of mobile operating systems when deploying devices in the enterprise.  

EXPLORE: Find out why zero trust is one of the tech trends to watch in 2023.

Key Security Technologies for Mobile Devices

Here are some of the more common mobile technologies that help the enterprise securely deploy mobile devices:  

  • Enterprise mobility management (EMM) is an umbrella term for technologies that ensure mobile devices have appropriate policies and configurations. EMM generally includes mobile device management for configurations and security settings and remote user access policy implementation. 
  • Policy enforcement technologies detect changes to security baselines that call for limiting access to enterprise resources.  
  • User and device authentication is based on identity and access management, but rarely encompasses continuous access request authentication, which is required by zero trust.  

75%

The percentage of organizations that experienced a “major” mobile-related security compromise

Source: Verizon, 2022 Mobile Security Index, August 2022

When it comes to mobile applications, key security controls include the following:  

  • Mobile Application Vetting (MAV) ensures that applications comply with enterprise policies and do not contain known exploitable vulnerabilities.  
  • Mobile Application Management (MAM) ensures compliance in deployed applications. However, neither MAV nor MAM are generally aligned with zero trust to support continuous authentication.  
  • Mobile Threat Defense detects and mitigates threats from suspicious user behavior or network activity as well as from malicious attacks. 
  • Secure Containers provide isolation techniques to prevent organizational and personal data from commingling.  

Mobile operating systems themselves have built-in security features, including these:  

  • Data isolation techniques block unauthorized communications among device and user data stores. 
  • Platform management APIs allow EMMs and other security management tools to control devices security and functionality. 
  •  User and device identification, a key enabler of zero-trust compliance, involves access via multifactor authentication. 

READ MORE: Learn how to keep your devices secure in a digital work world.

Three Mobile Security Steps to Take Now 

The mobile security technologies outlined above can go a long way toward implementing zero trust in the mobile environment. However, to fully implement mobile zero trust, the business should take three additional steps.  

First, mobile application development and application security vetting need greater scrutiny to ensure alignment with zero trust for accessing enterprise resources. Applications should be carefully evaluated to make sure they support continuous authentication. Applications developed in-house should be reworked to include continuous authentication if not currently in place. MAVs should check that all applications — both those developed in-house and those acquired via operating system vendor app stores — comply with policies.  

Second, ensure that mobile devices implement application and data segmentation. Although mobile operating systems have built-in security controls for enforcing segmentation and can sandbox apps and data, the business should scrutinize custom-developed enterprise applications for segmentation at the app and data levels. Enforcement of continuous multifactor authentication is also needed to ensure consistency with zero-trust principles.  

Third, take steps to ensure tighter integration between EMM and mobile threat defenses to ensure timely threat mitigation. Many vendors are aligning their systems to the zero-trust approach, including continuous authentication assessment and reporting on device health.  

DIVE DEEPER: Discover the security strategies that accommodate work from anywhere.

Improving Your Security With Intelligent Authentication

Some EMM systems include “intelligent” device authentication, combining biometrics with individual user behavior. Using advanced rule sets powered by artificial intelligence, these systems can enable adaptive authentication to drive precise security for each user interaction. Businesses can also tighten the integration between EMM and mobile threat defense systems and their existing logging, monitoring, diagnostic and mitigation systems. 

Every enterprise is different, and there is no one-size-fits-all strategy for mobile zero-trust implementation. Each organization should develop its own roadmap and timeline aligned with its goals. Businesses can develop their strategies based on an assessment of the risks they face, with granular policies to mitigate risks.  

Likewise, each organization needs to determine the granularity of continuous authentication to balance security and usability. Related changes should be integrated into that infrastructure as needed.  

Finally, as with any security approach, technology is only part of the solution. Enterprises must review their mobile use policies and ensure that their processes and human factors are aligned with their zero-trust goals.  

Carl Wiens/Theispot
Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT