Let It Be: Finding a Collaborative Security Model
Many organizational trust permissions and access assumptions have been built on the tradition of enterprises buying, issuing, and managing the devices that access their applications. The bring your own device (BYOD) trend blew the assumption that an MDM would be able to manage outside devices and enable trust. Due to third-party partnerships with outside vendors and contractors, BYOD has not worked well for years. Your vendor consultant isn’t going to let you manage her laptop, nor is your external auditor. Even in the case where you have a direct hire, that person may be working for multiple organizations, and if each of them wants to use a device management agent, the ensuing endpoint battle won’t be pretty.
Believe it or not, the “zero trust” model can help you get along better with your users, customers, and partners.
Here are some examples of how the collaborative model works:
- Rather than managing the endpoint directly, you read the security state. A read-only health check is often more palatable to users than a management agent on a personal device.
- Instead of making configuration changes, you can specify what configuration policies the device needs to meet in order to be granted access and let the user choose whether to make those changes. (Can we all at least agree that the device shouldn’t be jailbroken or rooted? It’s a bare minimum to start with.)
- You can specify a grace period in which the user must bring the device into alignment with those policies, and the user can determine when to make the changes. For example, you might give a user a week to update to the latest software version before access is denied. This allows the user to do the updates at the least disruptive point in the workflow.
If you operate from a position of “zero trust” and make no trust assumptions, you can pull back your policy enforcement to your own infrastructure resources (networks, systems, and applications). At that point, if someone and something wants access, you can check the security state of the endpoint being used and either allow access or request remediation first.
You can state the equivalent of, “Look, do what you want on your own time. But if you want access to our ERP system, you have to use a corporate-issued endpoint. And it has to be up to date on its software, use a lockscreen, and it can’t be jailbroken."
The users can remediate any security issues on their own schedule, not have a Patch Tuesday imposed on them when it interrupts their workflow.
This collaborative model is already in place in environments such as higher education. Schools can’t control what endpoints the students bring onto campus, or even what devices departments purchase with their grant money. The culture of academic freedom also plays a big role, so anything that hinders access, sharing,and exploration creates conflict.
In healthcare, security teams have to negotiate with doctors who bring in their own personal devices and insist on frictionless access, patient safety (compliance) and access to resources at all times. Security in healthcare can get tossed by the wayside any time it creates a barrier to entry.
Changing Times for the Security Model
The traditional security model — where enterprises issue every device and manage its security — is coming to an end. It never worked with third-parties and customers anyway (you can’t dictate what they use); and it is increasingly difficult to use with employees who are used to their own personal consumerized IT experience.
The flexibility of “zero trust” is that it checks endpoint security at the appropriate time, and never assumes it’s already there. Not only can you enforce your own security policies, but you’ll benefit from any other similar enforcement in a given user’s ecosystem, since they’ll have to comply with the most stringent policies for any resource they access.
As the saying goes — "a rising tide lifts all boats." Ironically enough, by verifying before trusting, you can improve security and build a better collaborative and trusting relationship with your users at the same time.