Businessman using mobile phone with virtual lock showing zero trust

Your Zero Trust Strategy Shouldn’t Have an Asterisk Behind It

Many organizations and government agencies are looking to build out a Zero Trust architecture. If you’ve attended any cybersecurity conferences lately, it’s highly likely that you’ve seen the words “Zero Trust” plastered across the expo floor and afterward, were inundated with follow-on marketing campaigns promoting the same. Zero Trust has reached buzzword status in the security industry, and rightfully so as threats continue to become more and more sophisticated. But, unfortunately, many vendors that claim to provide Zero Trust solutions fall short of addressing all critical components. It’s most noticeable in the mobility space where almost every vendor protects right up until a device is rooted or jailbroken – then you are on your own. You can’t be “Zero Trust” if your security platform has that big of a caveat.

The advancement of threats to mobile devices has far outpaced the abilities of traditional MDM/UEM solutions while Mobile Threat Defense solutions are only as good as the most recent threat they have detected. The primary purpose of a Zero Trust framework is to protect against all threats—known and unknown—and against those that will come tomorrow, or next month or next year. And, with employees empowered to conduct work from wherever they are, via fully remote or hybrid work policies through the use of powerful mobile devices, enterprise data is flowing more freely out of the secure perimeter of corporate or government networks and devices. As enterprise mobility increases, so does the need for more robust mobile security practices. This is where Zero Trust architecture is a necessity.

Why Zero Trust?

Cybercriminals are crafty. They research their targets and conduct reconnaissance. They craft advanced, socially engineered campaigns that will fool the most security conscious individuals. Sometimes they even fool security technologies! These bad actors know who you are communicating with on a regular basis, what you are communicating about, and the type of language both parties use. They can disguise themselves as legitimate applications and trusted personas. Not to mention, many of today’s mobile threats are hidden “Zero Day” attacks, meaning the user has no idea they have been hacked in the first place.

To that end, the federal government has already taken steps in the right direction. All federal agencies are being called on to modernize their cybersecurity approaches to implement Zero Trust via an executive order from the White House. CISA has also released guidance on Applying Zero Trust Principles to Enterprise Mobility. It’s only a matter of time until we see this reverberate across all private and public sector organizations. With these considerations in mind, let’s examine how many Zero Trust architectures are built and how they can be adjusted to adequately address enterprise mobility.

How to successfully implement Zero Trust

Don’t be fooled by the bright, flashy advertisements. Many vendors in the mobility space now advertise their technology as a “Zero Trust” solution, but what you don’t see is the teeny, tiny asterisk that follows—doesn’t apply to rooted / jailbroken devices. This is problematic for several reasons. For starters, most of the new and modern types of attacks such as Predator, Pegasus and others do just that, root and/or jailbreak the device without the user ever even knowing it happened. Once that is done, the malware gets access to the crypto keys on the device and it then has access to anything it’s looking for. AND, as we mentioned earlier, more and more data is being accessed, stored, and transmitted on mobile devices at a consistently growing rate. There is no way we can avoid that. If you tried, you’d be severely limiting your employees’ productivity and ability to get the job done. Additionally, Zero Trust is not about securing devices, it’s about securing data. The idea behind Zero Trust is safeguarding data wherever it lives and travels to, whether corporate-owned, Bring Your Own Device (BYOD), a laptop, or a mobile device. Zero Trust principles are centered solely around the data.

Now that we’ve got that squared away, how can you ensure your Zero Trust strategy encompasses all aspects of enterprise mobility—most importantly when they are manipulated to the point where the native OS or device security provisions are rendered useless? Non-persistent jailbreak attacks such as Predator and Pegasus along with man-in-the-middle attacks, SSL stripping and other types of attacks are too advanced for MDM-based solutions to handle. After all, MDM was built as a management tool, not for security. The best approach is to treat mobile devices as a corporate endpoint. Isolate and encrypt data being stored and accessed on mobile devices. A containerization approach works best here as it acts like a secure vault that stores corporate applications and data – with the most advanced of the containerization solutions also protecting against rooted and jailbroken devices. Most importantly, ensure your mobile security solution does not make use of the “key store” and takes additional measures to protect its crypto keys. Additionally, make sure you are also leveraging all critical components of mobile security including mobile threat defense and mobile device management to also protect the user and device. These methodologies are not a la carte options, they are critical for secure enterprise mobility and Zero Trust. On their own, they are incomplete and vulnerable to numerous types of advanced threats. When used together however, “Zero Trust” is truly attainable.

Building out a Zero Trust strategy takes some due diligence and research. Determine where your organization’s data lives and how your employees are accessing it. Leverage the appropriate technologies necessary to secure the data within these ecosystems and devices. Don’t cut corners and hope for the best, it often won’t work in your favor. And, remember, enterprise mobility is only going to increase from here and you have more data residing on employees’ devices than you may realize.