5 Principles to Achieve Zero Trust for the Workforce - Gain Visibility Into Devices (Part 2)
Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Last week we explored how to establish user trust. Today we explore the second principle in this five-part blog series — how to gain visibility into devices.
Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in the last post, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network.
The first principle of zero trust is to establish user trust, which identifies the user is who they say they are. The second principle of zero trust is to gain visibility into all of the devices and endpoints that have access to your environment.
The History of Endpoint Security
The first ideations of “malicious software” dates back to early computing in 1949 with John Von Neumann’s research “Theory of Self-Reproducing Automats” – long before mass computer adoption was a thing. In 1983, Fred Clone, a leader of antivirus software, introduced the term “computer virus” (a parasitic application that seized control of computer operations) in his student research paper "Computer Viruses – Theory and Experiments" while studying engineering at the University of Southern California.
Computer viruses initially spread through removable media until the 1990’s when macro viruses infected Microsoft software. By the 2000’s computer viruses were transmitted over the internet and through email — and expanded into worms (Melissa and I Love You) and trojan horses that rapidly proliferated to corporations and institutions throughout the world.
Email has always been an easy target to permeate malicious code by hiding it in memory or files within the endpoints. The first mass attempt at endpoint security was in the antivirus era, along with the VPN, and a moat of protection called the firewall perimeter. But not for long.
Antivirus security companies faced a backlash in the mid-aughts when their signature-based technology failed to keep up with progressive malware due to a lack of timely critical updates. In 2014, Symantec’s Brian Dye declared antivirus software was dead in an interview with The Wall Street Journal while introducing new approaches to preventing the spread of malware that included new tools to protect against phishing, spam attacks, and malicious websites.
Statistics released in “2018 State of Endpoint Security Risk” by the Poeman Institute state:
74% of compromised organizations report the attack was a new or unknown zero-day attack
64% say their organizations were compromised in 2018 with one or more endpoint attack(s) that successfully compromised data assets or IT infrastructure
Antivirus missed an average 57% of the attacks
Organizations report the average time to patch is 102 days.
Only 46% organizations that do adopt features and functionality to detect and block early signs of an attack use all the features and full functionality because of long deploy times
The Zero-Trust Era: A Multi-Layered Approach to Endpoint Security
As endpoints continued to grow with the rise of mobile devices and the remote workforce, the perimeter was no longer contained to the internal firewall. More computing shifted to the cloud. By 2009, zero-day hacks had infiltrated the most secure brands, institutions and government departments. Infiltration of systems through stolen or compromised credentials through email phishing was easy and rampant — and still is today. Gaining visibility into all devices and endpoints connecting to the corporate environment is a critical component to adopting a zero-trust.
THE NEW PERIMETER
The new perimeter is more of a micro-perimeter.
STEP 2 - GAIN DEVICE INSIGHT TO SECURE THE WORKFORCE
Cisco defines the journey to zero trust as three key areas: the workforce, the workload and the workplace. Gartner and Forrester Research are leading the industry in education of the importance of taking a zero-trust stance to security through microsegmenation, which starts by securing the workforce and having insight into devices.
"Okay, if we were to try and fix this from the start, where would we start? We'd obviously start around taking care of the largest swath and compromise areas, which would probably start with users. Followed closely by devices. Because if we can take care of those two pieces, we can actually gain some ground and work our way going forward.”
— Dr. Chase Cunningham Principal Forrester Analyst, 2019 RSA Conference
How can I see the endpoints connecting to my environment?
Do you have visibility across every type of end user device – mobile, desktop and laptop?
Can you easily get an overview of your users, endpoints and authentication activity?
Is there one tool that centralizes authentication and endpoint data across different device platforms?
According to Duo’s “2018 Trusted Access Report” more and more environments have no clear insight into the devices connecting to their environment. Thanks to the demand and savings incentives around personal devices (BYOD), many companies have a large number of shadow devices connected to their systems that they are not aware of. Or alternatively, they have to rely on multiple vendors to get information about those devices. But there is a zero-trust solution that solves all of these issues and shines light on all endpoints.
Companies want to gain visibility into personal and corporate-owned devices, including mobile devices. Because BYOD devices may not meet security requirements or may be running older software versions prone to vulnerabilities, which are easy targets. Being able to see and flag devices without outdated software is critical.
Avoid surprises with easy peasy device visibility
Today threats come from anywhere and everywhere; attackers use ever-more sophisticated technologies such as hiding in encrypted traffic to evade detection. Visibility into devices can stop them in their tracks, aids in detection and response, and raises awareness of risk exposure. Getting a clear view of devices can reduce the threat of compromised credentials and devices caused by phishing, malware and other vectors – and helps to meet data regulatory compliance requirements for access security.
Gaining device visibility is easy to access, simple to use and effective for users and admins, whether you are small company or a global corporation, with Duo's multi-factor authentication.
ENDPOINT VISIBILITY BASED ON ZERO TRUST
So long, farewell mobile device management (MDM). Duo gives you data on who’s accessing what company applications, where and under what conditions– without requiring any agents on your users’ devices.
Get Remote Access Without VPN
Now you can support BYOD and mobile without being tethered to the VPN. Identify both corporate IT-managed and personally-owned devices with Duo’s Trusted Endpoints. Use existing device management infrastructure to establish and enforce device trust with Duo’s integrations with Active Directory, AirWatch, Google, Jamf, Landesk, MobileIron and Sophos without the need to deploy and manage a complex PKI certificate infrastructure.
See Every Device on Every Platform
Duo’s Unified Endpoint Visibility gives you actionable data on operating system, platform, browser and plugin versions, including passcode, screen lock, full disk encryption and rooted/jailbroken status. Easily search, filter and export a list of devices by OS, browser and plugin - refine searches to find out who’s susceptible to the latest iOS or Android vulnerability.
One View to Rule Them All on a Centralized Dashboard
See risks, and flag them. Duo’s detailed reports give admins data on user behavior and risky devices, as well as user, admin and telephony data – all easily integratable with existing security information and event management (SIEM) systems.
“With Duo’s platform, we were able to instantly get visibility into all devices accessing our network and quickly deploy access policies to shore in these devices. Duo helped us increase our security and was easy to deploy - period.”
—Chad Spiers, Director of Information Security, Sentara Healthcare
Have Peace of Mind – Get Transparent Device Insight
Using Duo’s Unified Endpoint Visibility with multi-factor authentication you will:
See all end user devices, including BYOD and shadow devices
See who is using these devices
See if the devices are managed or unmanaged
See the security posture of the devices
See what apps the devices are accessing
Meet government compliance regulations for NIST and DHS
Duo’s Approach to Zero-Trust Security Is Different in Four Ways:
Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
Integrates With All Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far fewer resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.
Last week we covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust. In next week’s blog we will review the third principle to achieving zero trust: how to establish device trust.
Zero Trust Evaluation Guide: Securing the Modern Workforce
We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.Download Guide