Back Again: The Mobile Endpoint Is Now the Policy Enforcement Point in the Everywhere Workplace!
Several years back before the COVID-19 pandemic hit and the work-from-home shift took hold, we wrote a blog about how the mobile-centric zero trust framework removed the traditional perimeter security controls to protect the corporate enterprise network and all connected endpoints from cybercriminals. In short, legacy security appliances — specifically network firewalls some with malware scanning gateways, intrusion detection and prevention systems (IDS and IPS), and VPN concentrators — were the policy enforcement points (PEPs), specifically the gatekeepers that enforced security controls of network traffic to required corporate resources in an effort to keep the cybercriminals outside and allow the good guys inside the virtual castle walls and moat.
With the massive proliferation of our always-connected mobile devices that we use for both work and play while at home, at the hotel or airport, or at the local coffee shop, the zero trust security framework is always evolving to help solve the constant barrage of sophisticated mobile threats that attempt to steal our critical personal and work data, using social engineering tactics like phishing, malware, and ransomware attacks. Zero trust states that the traditional perimeter security controls like your company’s firewall or your home router will not keep nation-state funded advanced persistent threats (APT) from breaching your defenses.
Ivanti considers the mobile device that you carry with you constantly, and the remote work laptop or desktop at your home, to be the new policy enforcement points to access corporate resources in the cloud, data center, or on-premises at the company headquarters. Before the device connects to these corporate resources, Ivanti’s unified endpoint management (UEM) platform checks for device health like rooted or jailbroken state. UEM also checks for device posture compliance to ensure hardware, OS version, and security update states before provisioning work apps and content, email settings, and Wi-Fi and VPN connection profiles onto the device, laptop, or desktop. Additionally, Ivanti’s Mobile Threat Defense (MTD) helps to detect and automatically remediate security threats at the app, device and network levels, along with blocking the more than 5,000 malicious phishing websites that are spun up on a daily basis. Since our machine learning (ML) threat detection engine resides on the device and is further assisted by our cloud-based engine, UEM and MTD have a much better chance of detecting and mitigating most of today’s security threats by minimizing the attack surface at the beginning of the exploit. All device settings and app policies can be provisioned before the user and device are conditionally granted least-privileges access to the corporate network using our VPN solutions like MobileIron Tunnel, Pulse Connect Secure or Pulse Zero Trust Access. Then the device is continuously scanned for security threats and compliance while the user and device are connected to the corporate network. Ivanti Neurons can then be used to discover all network-connected endpoints and enforce automated security patch updates to the OS and installed apps on these managed mobile devices, laptops and desktops.
Without Ivanti Neurons, UEM, MTD, and Zero Sign-On (ZSO) deployed at your company, a malware or exploit kit-infected mobile device that might otherwise be allowed to connect to the corporate network-based policy enforcement point like a firewall, secure web gateway (SWG), cloud access security broker (CASB), or VPN concentrator even with an inline malware gateway, before any detection and mitigation takes place. By then, other network-connected endpoints can also become infected making threat mitigation and remediation difficult, and very costly.
The sad reality is the cybercriminals have to be right only once to successfully penetrate your security defenses, while the company’s CISO and security architect have to be right 100% of the time to get a good night’s sleep! Even if a successful morphing phishing attack circumvents safe browsing and DNS filters, including MTD’s anti-phishing protections, MTD can still detect any host-based artifacts and indicators of compromise (IoC) by continually scanning for the existence of malicious apps, exploit kit code, and scripts living on the device before they elevate into a device-level privilege escalation, or network lateral movement onto other connected endpoints as the exploit evolves up the cyber kill chain to become an advanced persistent threat including a ransomware attack.
MobileIron ZSO along with FIDO2 passwordless deployments make up a strong multi-factor authentication (MFA) policy to access network and work resources, and also help to fight against phishing exploits, including QRLjacking and pharming, along with Man-in-The-Middle (MiTM) and push notification attacks.
For employee-owned and BYOD deployments, a separate work partition for Android Enterprise work profile or Apple User Enrollment modes can be remotely provisioned onto the device. The separate partition is treated almost as a separate device, keeping personal and work content isolated and ensuring user security and privacy. This means all the necessary work apps and content including Wi-Fi, VPN credentials and connection profiles for the user to securely connect to their work resources from home in this new Everywhere Workplace we live in today. MTD and ZSO can also be automatically provisioned for the user to further protect their mobile devices.
MobileIron Tunnel and Pulse Connect Secure both provide a per-app VPN solution that supports the Zero Trust Network Access (ZTNA) micro-segmentation requirement. Both solutions allow only the app and its content to traverse the encrypted connection over the internet to our MobileIron Sentry and/or Access, or Pulse Connect Secure intelligent gateway to access on-premises or data center work resources or cloud-based resources. The respective gateway checks with the UEM system and provides conditional access to ensure only the trusted user, their device, source IP address, and sanctioned app are allowed to access corporate data. These conditional access rules can be applied for not only the traditional client to server (north-south) network traffic, but also within the on-premises or data center (east-west) network traffic that includes continuous adaptive authentication and authorization controls.
For unmanaged devices in a contractor and frontline worker deployments, similar app and content configurations, Wi-Fi and VPN connection profiles, and conditional access rules can all be provisioned. Additionally, ZSO with remote browser isolation (RBI) and MTD can also be configured and enforced to ensure user and device compliance adheres to company security policies while they are accessing corporate work resources.
If an employee is terminated, the mobile device, remote laptop or desktop can be remotely retired. Work provisioned configurations and policies are selectively removed for BYOD deployments, or completely wiped — factory resetting the device and removing all configurations and settings — for company-owned devices.
In conclusion, the proliferation of mobile devices and the working from home paradigm shift don’t appear to be slowing down any time soon, and zero trust security will continually evolve as cybercriminals try to remain one step ahead of the good guys. Today, it isn’t “if” your company will experience a data breach, but “when.” What should your CISO and security architect do? Place as many robust impediments in front of these cybercriminals by employing a “good” cyber hygiene strategy and deploying Ivanti Neurons, UEM, MTD, VPN, and ZSO onto your corporate mobile device assets and networks!