In my most recent blog post we started down the path of Zero Trust and how to enable it in your organization. It was a bit exhausting but thankfully those of us in the United States could use the Thanksgiving holiday break to rest and recover. But now we are back at it with the next step in our Zero Trust journey: it’s time to secure your devices. This is especially important in these pandemic times, as I will explain shortly.
You Would Be Wise to Verify Your Devices. And Apps.
Back in the castle-and-moat days of yore, IT Managers could implicitly trust the devices attached to the network. Why?
- The IT Manager supplied the device. So, it was configured and protected just the way the IT Manager wanted.
- The IT Manager supplied all the apps running on the device. The apps were thoroughly vetted before being deployed.
- The devices all lived within the network. Before “portable” computers became a thing, you would have needed a hand truck to take your computer home. (Ask the man who hauled an IBM PS/2 home a couple of times.)
As behemoth computers gave way to laptops, devices might leave the network. But they could not access the network without an installed VPN (Virtual Private Network).
Today’s Device Environment? It’s Complicated.
It’s easier to understand the need to secure your devices when you review the state of device deployment today.
- Organizations have a mix of devices accessing resources. IT supplied some of these devices. Users brought their own devices to work. Users oftentimes have installed applications on their computers, tablets or smartphones without the knowledge or approval of IT.
- Everybody is working from home. For organizations who have relied on domain attachment to manage devices, their management conduit has been severed. The devices are no longer domain joined. So, things like Group Policy Objects cannot be used to manage device settings are security. We have worked with several customers in this situation who needed to set up alternative ways to secure their devices.
In this kind of device environment, you cannot implicitly trust the devices attaching to your resources. You must verify that they are who they say they are. You must confirm that they are properly patched and aren’t running unsafe applications.
Set These Objectives to Secure Your Devices
How do we bring some order to this chaos? One step at a time. Here’s some detail if you would like to follow along. The source material is from Microsoft, but the principles apply regardless of what technologies you use.
First, secure your devices by making sure that they are registered with a cloud identity provider. This identity provider could be Azure Active Directory. Or Okta. Or another provider. You want to know who is connecting to your network. This includes users (duh) but extends to contractors and BYOD (Bring Your Own Device) devices. I would add that it includes IoT (internet of things) devices (hello, Alexa) but I have previously advised that IoT devices be confined to a guest network.
Next, control what these devices can do once on your network. Services like Microsoft’s Conditional Access enable you to examine the security of the device, its location and the like and make choices about what assets that device can access. You can also set remediation actions that devices can take to address non-compliance issues.
Finally, set Information Protection and Data Loss Prevention policies for the data that devices can access. This will not only secure your devices, but move you beyond, to securing the data itself. For instance, you can specify whether devices accessing data from previously unused locations can download data to a hard disk. Or you can restrict who can print data that they have accessed.
Master Class: Proactively Manage Device Risk
Congratulations on getting this far as you secure your devices! You could stop here and give yourself a well-deserved pat on the back. If you are an overachieving type, you might want to set two other goals.
First, you can proactively secure your devices by connecting device management audit logs to a log analyzer. For instance, you could pipe your logs to Power BI or a SIEM (Security and Incident Event Manager). From here, you can set some filters to elevate the alerts that are likely to be troublesome from all the other alert data. Now you will have a real-time view of where havoc is threatening your network.
Second, you can manage device risk in real time. If you see data coming in from a threat intelligence service, you can temporarily limit or suspend device access. For instance, if you see a malware outbreak happening in a geography your users are in, you can limit access for those users while you investigate and decide if you have a problem.
You’ve Worked to Secure Your Devices. Next, Secure Your Applications.
I mentioned earlier that you must secure your applications along with your devices. We will save that for another post. Meanwhile, start taking stock of the device accessing your network. Do you have a list? Are they all secure? What are your staff using to work while they remain homebound? You may find that you have some work to do to secure your devices. Take these actions to get a good start. And let me know if we can help.