Hacking and Programming

Daily News and Weekly Tutorials

Missing Link in a ‘Zero Trust’ Security Model—The Device You’re Connecting With!

Like it or not, 2020 was the year that proved that teams could work from literally anywhere.

While terms like “flex work” and “WFH” were thrown around before COVID-19 came around, thanks to the pandemic, remote working has become the defacto way people work nowadays. Today, digital-based work interactions take the place of in-person ones with near-seamless fluidity, and the best part is that going remote helps companies save their cash in this bootstrapped time.

But while the ability to work from anywhere has truly been essential to keeping businesses and the economy functional, it has opened up new challenges that need to be addressed.

Your Devices Are Your Weakest Link

With nearly ⅔ of employees still working remotely to some degree, the boundaries that once separated work and home have been completely washed away. A major ramification of this shift has been an increase in the volume of corporate and non-corporate devices connecting from remote to sensitive data and applications. And in the mad rush to get employees set up and running, the vast majority of these devices were not outfitted with the same security measures as their office-based counterparts.

The reality is that the device almost always goes overlooked—and in many ways, it has become the weakest and most vulnerable link in IT security. What’s ironic is that most organizations really do want to keep their users and data secure, despite distances.

They make sure that all users are authenticated, their network is encrypted, and the SaaS applications are secured—but what about the device you are connecting from? Your laptop or desktop that is connecting to all your work applications and sensitive data?

To be perfectly accurate, the issue of vulnerable devices has been around a lot longer than the pandemic has; security experts and IT teams have been railing against the usage of unsanctioned, unapproved devices for years. And even when the world fully reopens, the definition of “normal” will have expanded to include IT environments where employees can choose to work from everywhere.

Achieving Zero Trust Access Security

In 2011, Jon Kindervag from Forrester coined the term zero trust. It took a while for the term to gain traction—but fast forward to 2018, and the term was everywhere. By now, it has become a commonly used (if not overused!) term, which refers to taking a departure from outdated, perimeter-based security approaches that assume that everything on the inside of your network is safe. Instead, a zero-trust approach requires every person and every connection to be verified before being granted access.

Today, organizations use lots of methods to try to establish a zero-trust architecture: multi-factor authentication (MFA) to protect and fortify passwords; Single Sign-On (SSO) to streamline and simplify the sign-on process; identity access management (IAM) tools to provision access to the right users, et cetera. These tools are super important to establish a secure baseline and go a long way to establishing a “never trust, always verify” architecture.

Fixing The Weakest Link

But the reality is that as important as these methodologies are, they don’t cover the full potential attack—the areas they fail to account for can leave easily accessible paths from which attackers can infiltrate.

While working together at Palo Alto Networks in around 2015, after acquiring a leading endpoint solution company, Infinipoint—a company that offers a real-time IT security asset management platform—began to see that as crucial as these tools are to establishing zero trust, they leave out a key element, don’t address the security, nor establish the trust, of the device itself.

The team at Infinipoint understood that to achieve a TRUE zero trust architecture; organizations need a solution that addresses the missing link—the devices users connect with—and:

  • Acts as a single enforcement point for every enterprise service;
  • Enables controlled access, based on the user-device-service combination;
  • Associates real-world risk intelligence to enforce static, dynamic policies, and risk-based policies;
  • Remediates those risks with one click of a button.

We call this solution DIaaS – Device-Identity-as-a-Service, a comprehensive device identity and posture solution, which is part of the Single-Sign-On authentication process. DIaaS is the optimal way to prevent devices from putting your organization at risk. With no apparent impact on the user experience, it improves security and productivity while supporting every identity provider and business service.

DIaaS helps protect devices from being compromised and keeps legitimate business users safe from their own less-than-optimal security practices. With an advanced and dynamic access management solution like DIaaS, organizations can get full visibility and real-time access control across tens of thousands of IT assets, eliminating configuration risks and vulnerabilities within seconds.

This is incredibly important in the distributed workforce environment since it uncovers and proactively fixes security risks in a productive way. Organizations can now discover, manage, and secure IT assets across their enterprise for employees, contractors, and anyone else accessing their data and services.

Conclusion

DIaaS (Device-Identity-as-a-Service) is the key to getting device context awareness on Single Sign-On login, across every service, in today’s fragmented work environment. Our goal is to help organizations take a truly holistic approach to the zero trust security model and lock down one of the most troublesome sources of security insufficiencies. To find out more, get in touch with us today.