logo

How Device Trust is Key to Securing Cloud Access

Device trust is the process of analyzing whether a device should be trusted and therefore is authorized to do something. It’s critical that the devices accessing company data are trustworthy. Determining which devices should be trusted is a unique decision made by each organization depending on their risk tolerance and compliance requirements.

  • Published: 29-04-2022

  • Related Category: Cloud Security

  • Type of Content: Articles

  • Owner: Beyond Identity


What is device trust?

Device trust is the process of analyzing whether a device should be trusted and therefore is authorized to do something.

It’s critical that the devices accessing company data are trustworthy. Determining which devices should be trusted is a unique decision made by each organization depending on their risk tolerance and compliance requirements.

Different levels of trust are required for low-risk and high-risk resources. Furthermore, compliance requirements are dependent on industry regulations and types of company and customer data that the organization collects and needs to protect.

For example, healthcare professionals shouldn’t be able to access sensitive patient medical records from unmanaged, personal machines with unencrypted disks, because that violates HIPAA requirements. However, it doesn’t infringe on HIPAA requirements for healthcare professionals to access their HR benefits from their phone. Each organization has unique standards they need to enforce, but it’s difficult to maintain these standards on some devices.

Device trust is also a key building block for a Zero Trust security architecture. With Zero trust, until an endpoint device has been proven to be trustworthy, it should not be given access to any data or resources. As some have noted, the endpoint has become the “new security perimeter”, making it vitally important to establish device trust. With Zero Trust, don’t trust until you verify. As organizations embark on, or continue their Zero Trust journey, they must consider how to establish trust in endpoint devices.

“Device trust is the process of analyzing whether a device should be trusted and therefore is authorized to do something.”

Why is device trust important today?

Today, it’s a nightmare to control which devices can access cloud resources like software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a- service (IaaS). These cloud services are great because they’re turn-on-and-go, scalable, and easily accessible. Yet the bad news is that they’re easily accessible — from any web browser on any device!

Making matters more complicated, COVID-19 sped up the use of cloud services and spawned the move to a permanent hybrid workplace. Now that more and more sensitive, confidential information and important intellectual property resides in cloud services, there’s added complexity. Not to mention the workforce can log in from all types of devices, including personal computers, and shared computers, phones, and tablets.

If SaaS apps can be accessed from any web browser on any device, what’s stopping employees, contractors, or partners from accessing company data using unmanaged, insecure personal machines, or worse? Without proper controls employees can access critical cloud resources from shared machines that are very likely compromised, like a computer in a library or hotel lobby.

It’s the perfect storm and unmanaged devices are a huge blind spot.

Many CISOs know that employees are accessing sensitive company data on insecure personal machines and that they’re powerless to stop it.

Why? It’s easy for system admins to access critical infrastructure or for software engineers to access and commit code to GitHub from a personal machine, undetected and unmonitored. CISOs we’ve spoken to have asked these employees to stop, but they don’t have confidence their employees are complying with this security measure.

Even if companies have taken steps to control which devices can access cloud resources, CISOs are not satisfied, because these security measures can often be bypassed by more technical users (e.g., engineers or attackers). For them, it’s trivial to move a certificate issued by a centralized CA (and stored on the local hard drive) from one device to another device. Then a legitimate user can authenticate from an insecure, personal machine or an attacker can steal the certificate and use it.

“If SaaS apps can be accessed from any web browser on any device, what’s stopping employees, contractors, or partners from accessing company data using unmanaged, insecure personal machines, or worse?”

Security teams spend a lot of energy and resources locking down company- issued machines because the workforce has access to important data. They’re concerned by attackers potentially getting a foothold, installing malware on the endpoint, and gaining access to company data.

The accessibility of the cloud means company data can be moved onto personal machines. This opens up organizations to a lot of risk. Unmanaged personal machines could already be compromised and become an attack vector to company data and resources. Though this is a risk that a lot of CISOs have had to live with, it’s very problematic.

Managed devices only tell half the story

Historically, organizations have turned to managing devices to control access to company data. By managing devices, we mean the process of identifying, purchasing, configuring, and rolling out mobile device management (MDM) software.

In some circles, MDM has been re-named unified endpoint management (UEM) to incorporate all types of devices, including computers and tablets. Endpoint detection and response (EDR) solutions are also an important part of endpoint security, as they’re helpful in detecting threats after attackers get access.

>> Download Article to continue reading.



Related Articles: