Why You Shouldn’t Put Your Faith In ‘Trusted’ Devices

2530 0

In recent years, the mobile workforce has grown rapidly. Many forward-thinking companies have recognized the benefits of remote work and have adapted accordingly. However, allowing anywhere, anytime access to corporate data creates new risks that are difficult to address with most security solutions. Before the mobile workforce explosion, businesses used a “trusted” device model to secure remote access to corporate information. Unfortunately, with the plethora of personal devices used by the workforce today, this legacy approach is no longer reliable or secure.

Trusted Devices 101

Endpoints are considered “trusted” if they meet certain security requirements or if the enterprise can control them in some way. Typically, they have an installed software agent that directs traffic to the corporate network so that basic security checks can be completed. Once checks like passcode verifications and operating system (OS) updates are complete, trusted devices will receive unrestricted network access so that users can access all of the data that they need to complete their work. This is usually done through a VPN tunnel to the corporate network. However, these virtual private networks also grant unfettered access to services that remote workers may not be utilizing; for example, Active Directory. This only serves to increase the risk of data exposure.

Security Starts with the OS

In most organizations, Apple’s iOS has emerged as the standard for trusted devices. According to the second edition of the Mobile Security and Risk Review, Apple products account for over 80% of mobile devices trusted in enterprises worldwide. Apple’s native approach to hardware, software, and services has created a distinct security advantage over less centralized platforms. IT managers typically turn to Apple in their efforts to secure corporate data while enabling employee mobility. A recent Jamf study found that 90% of IT professionals say that it is easier to secure Apple devices than it is to secure mobile devices running other operating systems.

False Sense of Security

In general, mobile platforms are more secure than legacy desktop platforms, like Windows, because they are closed ecosystems. However, all of them, including iOS, are still susceptible to data loss, theft, and cyberattacks. Despite this, trusted devices are granted too much access to valuable enterprise data. Even government agencies and some of the world’s largest financial services institutions use the trusted device security model and grant remote workers excessive data access. Instead of focusing solely on device security, organizations should be more concerned about data sharing, stolen credentials, and achieving visibility over cloud data. While firms should deploy solutions that secure data wherever it goes, many merely adopt device-centric tools.

MDM Isn’t the Answer

Most organizations have turned to mobile device management (MDM) and mobile application management (MAM) to address common security issues. Through the installation of agents, these solutions can exert control over devices. From a single platform, IT departments can enforce password protection, wipe data remotely, and restrict unsecure network transmissions. However, setup and maintenance of this type of software can create significant logistical issues. IT teams have to manage the installation of software across thousands of devices and ensure that they are all updated regularly.

In bring your own device (BYOD) environments, seeking to deploy these solutions on employees’ personal phones and laptops is typically viewed as a draconian invasion of privacy. Through software installations, MDM solutions force all device activity through the corporate network. This allows IT to monitor corporate data on employees’ devices, but also grants visibility into personal information related to banking, social networking, and more.

While MDM and MAM harm the speed and functionality of devices and applications, employees are primarily concerned about their private data being viewed by their employers. A recent Bitglass study found that only 44 percent of employees would accept MDM or MAM on their personal phone. Employees tend to reject these solutions and work around IT, putting corporate data at risk.

Focus on the Data

Rather than monitor all activity on all devices, companies should only track corporate data. Likewise, instead of trying to control all devices touching data, organizations should simply limit access from risky endpoints and unauthorized users. In other words, companies should consider agentless mobile security solutions. These tools require no installations, meaning that they respect employee privacy while monitoring only corporate data.

This new approach to mobile security emphasizes the idea that it is no longer the device that needs to be protected. While most organizations have a false sense that trusted devices are safe, no endpoint is completely secure from data leakage. Rather than adhering to outdated paradigms and labeling devices as trusted in the name of security, enterprises should simply look to protect their data.

About Rich Campagna
Rich joined Bitglass as VP Products, and then became SVP Products and Marketing, before becoming CEO in June 2017. Prior to joining Bitglass, Rich was senior director of product management at F5 Networks, responsible for access security. Rich gained valuable experience in product management and sales engineering at Juniper Networks and at Sprint before working at F5. Rich received an M.B.A. from the UCLA Anderson School of Management and a B.S. in electrical engineering from Pennsylvania State University.

In this article