The mobile device PEP talk!
*This post originally appeared on the MobileIron blog prior to the acquisition in December 2020, when MobileIron became part of Ivanti.
Traditional policy enforcement frameworks are inadequate for zero trust environments. This blog describes why that is the case and lays out the increasingly important role of the mobile device as the modern policy enforcement point (PEP).
The traditional PEP was a wireless access point, VPN concentrator, or firewall that controlled access to resources on the corporate network. It collected user attributes like credentials, work role, and location. That information was then forwarded to a policy decision point (PDP), which was usually an authentication and authorization service through an identity and access manager (IAM). In legacy networks, the PDP was a RADIUS or TACACS+ server, with Active Directory providing the authentication user source and corresponding authorization privileges and permissions.
However, modern work happens on mobile devices connected to cloud services, and this network PEP model is inadequate for securing these perimeter-less, zero trust networks. A user’s iPhone can be exposed to malware while surfing the Internet, while other users may have rooted their Android phones without realizing that their devices are now home to malicious exploits. And there may be no firewall at all to act as a gatekeeper. If there are no integrity controls to check the mobile device before it connects to business resources, those threats can steal data and infect other devices. A better way to secure data is to turn each mobile device into a PEP. Here’s how.
Step 1: Protect the device
First, the device itself must be appropriately configured and secured by enrolling it into a unified endpoint management (UEM) solution like MobileIron. This allows the administrator to manage and secure the full lifecycle of Android, iOS, macOS, and Windows 10 devices.
- Protection of data on the device and in transit using strong cryptosystems
- Context-based authentication and authorization methods that can leverage digital certificates
- Device health assessment with sophisticated jailbreak, code obfuscation, and suspicious app and root detection
- Deployment of sanctioned, malware-free apps
- Compliance actions to safeguard the apps and data if a threat is detected
Step 2: Ensure ongoing device integrity
Second, the integrity of the device must be preserved on an ongoing basis by scanning for device, network, and application (DNA) threats. If a threat is detected during the initial device enrollment, automatically halt the provisioning of work apps, configurations, and policies until that threat is remediated. Once the device is operational, continuous scanning ensures that new threats haven’t been introduced into the environment. The integrity scan should incorporate an artificial intelligence engine with machine learning that improves algorithmic outcomes to detect zero-day exploits. This is the role of the MobileIron Threat Defense solution.
Step 3: Define policy enforcement actions
Third, define the automated policy enforcement actions to take on the device when a compromise is detected. Here are two ways of using a mobile device as a PEP when a salesperson connects to an unsecured Wi-Fi network to access company data.
Example 1: MobileIron automatically establishes a VPN connection as an enforcement action to protect data. The user is notified of the threat and asked to connect to a secure network. If the user has not disconnected from the unsecured Wi-Fi after a specified amount of time, the next tier of enforcement actions will be automatically taken, like blocking the device or removing business content on the device. Business data is restored when the threat is remediated. Here is a video of this example:
Example 2: The device loses its network connection because the user fails to enter the proper credentials. Now MobileIron can automatically trigger the local compliance action to forward all network traffic to a VPN sinkhole for iOS devices. Once the threat is remediated, the VPN sinkhole is disabled and Internet connectivity is restored. Here is a video of this example:
Security leaders cannot rely on a traditional network PEP in a zero trust environment. The responsibility for enforcement falls to the mobile device. MobileIron ensures device integrity and triggers automatic policy enforcement actions on the device to protect data from advanced threats. With MobileIron, the mobile device becomes the modern PEP for zero trust networks.