Device trust is the process of analyzing whether a device should be trusted, and therefore, is authorized to do something.
It’s critical that the devices accessing company data are trustworthy, and determining which devices should be trusted is a unique decision made by each organization, depending on their risk tolerance and compliance requirements.
Where There’s a BIG Blind Spot
There’s added complexity due to the fact that more and more sensitive, confidential information and important intellectual property now resides in software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). These services are great because they’re turn-on-and-go, they’re scalable, and they're easily accessible. The bad news is that they’re easily accessible...from any web browser, from any device!
Security teams spend a lot of energy and resources locking down company-issued machines because the workforce has access to important data, and it’s important to stop attackers from getting a foothold, installing malware on the endpoint, and then attackers gaining access to company data.
If SaaS apps can be accessed from any web browser, on any device, what’s stopping employees, contractors, partners from accessing company data from unmanaged, insecure personal machines, or worse?
We often hear from CISOs that they have proof that their employees are accessing sensitive company data on insecure personal machines and that they’re powerless to stop it. It’s too easy for system admins to access critical infrastructure or for software engineers to access and commit code to Github from a personal machine, undetected and unmonitored. CISOs we’ve spoken to have asked these employees to stop, but they’re unable to check if employees are complying with this security measure.
Not all devices that the workforce uses are company-issued, and not all devices can be managed. It’s the perfect storm, and unmanaged devices are a huge blindspot.
The accessibility of company data in the cloud that can be moved onto personal machines opens up organizations to a lot of risk. Unmanaged personal machines could already be compromised and become an attack vector to company data and resources. This is a risk that a lot of CISOs have had to live with, but it’s less than ideal.
In fact, most employees (especially temporary workers, third-party contractors, and partners) don’t want their personal devices to be managed at all. Most organizations do not want to purchase and issue phones for employees as this can become quite expensive. So, instead, employers have to accommodate employees who are using their personal phones, and most employees don’t want their employer to be able to see or accidentally wipe their personal phone, they’re worried about their employer infringing on their privacy.
How to Verify and Trust (Some) Devices
Device trust has fundamentally changed—it’s no longer simply a binary question asking if this device is managed or not. Instead, it requires security teams to establish if each endpoint is trustworthy enough, right now. Managing the risks of unmanaged devices isn’t new, it’s just becoming more prevalent and important.
In device trust, the first step is to verify the user behind the device, and the second step is to establish if the device is secure before allowing access.
Step 1: Verify the user behind the device
Managed devices are registered with a user. Unmanaged devices are a black box. They’re not registered, and it’s difficult to know whose device it is. With unmanaged devices, it’s a free-for-all.
The only way to validate a user behind an unmanaged device is to attach some type of identification to that device, and to store it in a safe, impermeable way. That way these registered devices that are tied to a known identity can be picked out from the rest of the bunch, separating the dogs from the wolves—the authorized users from the attackers exhibiting suspicious behavior.
Step 2: Find out if the device is secure
In the past, checking the security posture of a device was typically a binary, basic check if the device was managed or not. However, just because a device is managed doesn't mean the device is still securely configured or that the security software is running properly on the device as expected. Mistakes happen (oops). Because things can and do change, the security posture of a device is only valid for a given point in time. Security settings can change, software can break or be uninstalled, etc.
Devices need to be checked continuously if it’s secure. Device security checks could include:
- Is the expected security software installed and running on the device (EDR, MDM, etc.)?
- Is the local firewall enabled?
- Is this device protected by a biometric?
- Is this device encrypted?
- Is gatekeeper enabled?
These are just a few of the questions security teams might want to answer to help them understand if the device is secure. These checks are crucial across all machines accessing company resources whether the device is managed or unmanaged devices. The only way to get the whole picture is to conduct these checks, automatically at scale on every device, continuously over time.
Device Trust Is a Building Block to Strong Access Controls
Device trust has become a crucial component for controlling access to important data and resources. It has both security and compliance implications to secure access controls. Device trust enables security teams to be more confident that ALL devices (managed and unmanaged) meet your security requirements before authenticating, and therefore you can protect your sensitive company data from risk.