Bring Your Own Device (BYOD) and the Internet of Things (IoT) are the offspring of the cloud-first mobile revolution which has transformed both business and society. The ability to work anywhere, and the capability to manage every device conceivable, has fueled innovation on an unprecedented scale. However, with the creation of these groundbreaking technologies, new cybersecurity threats have emerged which take advantage of the fractures they created in traditional security models.
Before the advent of mobile devices and cloud-based services, IT secured the enterprise with a hard perimeter which protected internal resources from external threats. Firewalls formed the delineated boundary between a trusted internal network and the untrusted external environment. The introduction of mobile devices and the creation of IoT solutions fractured this hard perimeter. IT now has to secure devices which reside beyond the firewall as organizations no longer operate in a world where the notions of a trusted and untrusted network exist.
Network Defense Measures
Effective network protection is a mix of policy and technology. Below we breakdown exactly what this mix looks like and how you can best meet your business interests while mitigating network vulnerability and data breaches.
The Zero Trust Approach
In 2009, John Kindervag of Forrester Research produced the Zero Trust framework which contained this philosophy at its core. Created as unmanaged mobile devices started entering the workplace, Zero Trust stated that all network traffic be deemed untrusted and established that organizations needed to deploy specific measures to protect themselves. The model itself introduced three core concepts to achieve this secure state. Firstly, all resources on the network had to be accessed securely regardless of their location. Secondly, organizations should adopt the principle of least privilege and enforce strict access control, and thirdly that all network traffic needed to be inspected and logged.
In 2018, The Zero Trust model, which is now under the thought leadership of Chase Cunningham at Forrester, was expanded into the Zero Trust Extended Ecosystem (ZTX). ZTX develops on the underlying principles of Zero Trust by adding several untrusted components to the model in addition to the network. People, devices, and workloads are all deemed untrusted by ZTX, which also places data at its core. ZTX recommends that all data be encrypted in transit and at rest, and only securely authenticated resources be allowed to access it. Furthermore, the model also suggests the addition of automated security solutions to manage the added complexity of modern IT environments.
Implementing a Zero Trust approach requires the implementation of Next-Generation Access (NGA). The core of NGA is that simplicity in managing modern networking environments is vital, and command and control over who or what accesses the network, and ultimately the data, is the crucial element that enables this. However, in addition to managing access, organizations that have BYOD policies in place and that operate IoT infrastructure need to deploy a few additional measures to protect their network against possible intrusion.
Visible Onboarding
BYOD and IoT have a common security problem in that new devices connect to the network without any oversight or authorization from IT. Employees connecting their mobile devices to corporate email, and new equipment which has embedded IoT components transmitting information to the vendor, are just two examples. As long as the user has the necessary credentials to access the corporate network, or an organization’s network access policy remains unrestricted, these incidents will continue to occur.
A crucial requirement of managing and securing BYOD and IoT is having visibility of the devices. If we consider the Zero Trust principles, a vital element of the framework is the concept of secure access. ZTX takes this further by stating that every device is untrusted and that appropriate measures are needed to ensure they authenticate securely. Putting technologies in place that force users to enroll devices before they can access any corporate resource can introduce the required visibility. Furthermore, enforcing strict outbound access control will help mitigate the risk of unknown IoT devices dialing home without authorization.
Network Segmentation
Segmenting a network into logical operational areas with strict access control limits between each scope is a well-established security principle. This standard best practice is now more critical than ever in a Zero Trust architecture. The ability to logically segment different devices into distinct network segments forms the foundation of further security measures organizations need to implement.
By ensuring all BYOD and IoT devices connect to securely controlled network segments, organizations can enforce stricter controls and apply the appropriate management policies. This partitioned approach also offers organizations a logical security buffer. Should an intruder manage to compromise a device, they will only have access to that particular network segment that quarantines the rest of the organization from possible compromise.
Secure Authentication and Access Control
Network segmentation is only a single measure that controls access. Ensuring a device is not compromised in the first place requires the implementation of secure authentication and access control.
In the case of BYOD, organizations must ensure they enforce some form of device enrollment solution that can authenticate both the user and the device before granting access. Many IoT devices come pre-configured with default usernames and passwords. However, this convenience became the attack vector of the infamous Mirai botnet, which took control of thousands of devices for malevolent purposes. As such, ensuring every IoT device adheres to the secure authentication principles of Zero Trust is essential.
However, authentication is only half a secure access solution. Once the device authenticates and logs onto the network, strictly enforcing granular access control to every resource is essential. This defense in depth approach limits the threat a compromised device poses, and as such, is a crucial element in protecting a network from potential threats.
Continuous Monitoring and Automation
Network, device and service monitoring has long been a part of any productive IT operational environment. Proactively receiving an alert when any IT resource malfunctions is paramount. IT must be able to remediate the condition quickly to ensure system uptime and organizational productivity. With the introduction of BYOD and IoT, this IT process is crucial to ensure the availability of the device and to monitor it for any security alert. BYOD and IoT devices effectively form the perimeter of the organization as they reside beyond the firewall. As such, continuous monitoring of these devices is essential in ensuring any security incident can be mitigated immediately.
In addition to monitoring BYOD and IoT devices, organizations must introduce automation and orchestration to manage the complexity of controlling thousands of devices. For example, due to the scale of some IoT implementations, manually onboarding, thousands of IoT devices is not only inefficient but in some cases nearly impossible.
App Shielding
Although we see BYOD and IoT platforms as hardware solutions, the fact is the software that runs on these devices is the component that is actually under attack. Application shielding is a technology that fortifies the actual device endpoint by securing its software from intrusion, tampering and reverse engineering.
App shielding works by modifying an application’s binary code and is typically used by organizations to protect their software assets. However, in a BYOD and IoT scenario, a cloud-based app-shielding solution is the most effective approach. As it operates at the root level, it can alert app owners when an intruder tampers with the operating system, or when a modification occurs that affects the regular flow of software applications.
In Summary: Securing BYOD and IoT Requires In-Depth Defenses
BYOD and IoT solutions are everywhere, and their impact on organizations and security will only continue to expand. As such, organizations that have a BYOD policy or are leveraging an IoT solution must put measures in place to secure their networks. Adopting a Zero Trust approach can help organizations formulate the defensive strategies needed. Furthermore, implementing measures such as visible onboarding, network segmentation, secure authentication, granular access control, continuous monitoring, and app shielding can help organizations protect their networks against intrusions originating from their BYOD or IoT platforms.
Please contact us at Sales@coranet.com for more information
