Implementing zero trust architecture in BYOD environments

“The coronavirus pandemic demonstrated how crucial telework is to maintaining continuity of operations. Through innovative IT tools, employees were able to maintain productivity and meet their mission. With continued telework in our future, our cybersecurity strategies must continue to evolve and it’s crucial to implement modern security that protects against device-based threats and reaches to the cloud.” – Rep. Gerry Connolly (D-Va.)

Telework greatly expanded the government threat landscape and without carefully considering security requirements, agencies are placed at enhanced risk. Bring your own device (BYOD) policies and the use of mobile devices for work have become commonplace, making traditional security measures insufficient. Attackers devised new, sophisticated methods during the pandemic that target government workers connecting to agency resources using unmanaged devices. These new security challenges fast-forwarded security strategies like zero trust from a cybersecurity buzzword to an important policy.

Zero trust restricts access to resources using behavioral context, identifying anomalous activity that could be suspicious. It relies on continuous assessment of devices and their authorization –managing mobile device access and credentials allows security leaders to shore up vulnerabilities malicious actors could exploit when looking to gain access to sensitive resources.

For zero trust to be effective, there are a number of steps agencies need to consider. To start, they have to evaluate the current state of their organization’s security efforts and move forward accordingly.

Know thyself 

The first step for an organization moving to a zero trust security strategy is to understand the most sensitive, high-consequence systems, services, applications and the data/information within the organization. Once a team has a solid awareness of its sensitive assets, it should isolate them from the rest of the network so that these resources remain protected in the event of unauthorized access.

With the most important data isolated, an agency should implement rigorous role-based identification and access management processes for those mission-critical systems, services, and applications. At the same time, it’s critical to establish a measurable, repeatable risk-management process by segmenting the ecosystem based on the level of risk.

Build a strong team and leverage partnerships

After isolating key assets and establishing a risk-flow process, leaders should ensure they are surrounded with talented individuals and leverage partnerships with robust and well-established security and intel entities. Government is a high-risk environment for security professionals. It can be challenging to enact innovative cybersecurity strategies and in the event of a breach the security team is often held responsible. With high staff turnover, agencies should leverage networks and trusted partners to assist with various aspects of security for the long-term, including often overlooked channels like mobile and other devices that require access to agency resources.

Include all network-connected devices in the zero trust strategy

Federal government mobile phishing encounter rates rose from 17 percent in the final quarter of 2019 to 40 percent in the first quarter of 2020 as a result of increased telework amid the pandemic. Many of the traditional safeguards against phishing attacks on desktop computers are difficult to implement on mobile devices, making mobile an easy target for attackers. The size of mobile screens is often much smaller than computers, making it difficult to clearly see the full URL displayed in a browser. It’s also nearly impossible to hover over a link to see the destination before clicking.

To fully defend agencies from mobile phishing attacks, device vulnerabilities, malware and the advanced mobile threats facing employees, a dedicated mobile security solution is always essential. To combat app-, network- and device-based mobile threats, a comprehensive mobile security solution needs to be part of zero trust efforts, ensuring every endpoint is validated before gaining permission to use a government system.

Malicious campaigns are now able to target specific individuals’ mobile devices with the goal of phishing their credentials and/or delivering malware. Many of these malicious applications expose the data within the device or even take control of its camera and microphone. As such, advanced mobile security becomes more critical to keeping government data safe as cybercriminals constantly advance their strategies.

Zero trust is here to stay

The U.S. government rapidly transitioned to telework in 2020, thrusting mobile devices and BYOD policies into the spotlight and impacting the short- and long-term future of cybersecurity. Smart phones and other remote devices play a significant role in easing the transition to continued telework. However, the very same devices that made productivity easier away from the office introduced new cybersecurity risks.

By embracing a zero trust architecture, agencies can have full visibility and control over their resources, ensuring the devices connecting from various physical locations are safe. Over the next year, the future of remote work in government will become increasingly apparent, but zero trust will remain relevant as many agencies continue to assess their cybersecurity needs.

Scott Jack is president emeritus and consultant for Strategic Innovation at the Edge, Inc. and Principal and Owner of BeNimble Consulting, LLC. Jack also served in roles as Deputy Director and CISO for the United States Air Force; Director of the Department of Defense Public Key Infrastructure Program in the Office of the Assistant Secretary of Defense Networks and Information Integration and Director of Communication and CIO for the USAF Global Strike Command. 

Comments

Sign up for breaking news alerts