Adaptive Trust - A New Defense for Secure Enterprise Mobility

BYOD, cloud and the Internet of Things are changing enterprise defense plans to guard against points of attack inside the network perimeter. These new ways of connecting to secure resources have changed the way traditional threat radars work – protecting threats from the outside.

By Michael Netterberg, Solution Architect, Networking at Aruba, a Hewlett Packard Enterprise company

An HR director, a salesperson visiting with your engineering team, and a network administrator walk into office at 9am. Each is carrying a coffee in one hand, a smart phone in their pocket and a laptop over the shoulder. Within minutes of entering the building, they all log in to the Wi-Fi network and blend into the mobile workforce.

These tech-savvy, and Wi-Fi loving users expect to connect and work from anywhere on any device – and they want connectivity without extraneous layers of security that slow them down. It’s this workforce and expectations that are turning security inside out.

What’s happening faster than anyone imagined is the dilution of the fixed perimeter that surrounds the enterprise. Before workforces went mobile, IT invested tons of time and resources into building a crack-free perimeter that prevented outside threats from coming into the enterprise. They locked down the network with gateway firewalls, intrusion prevention systems, anti-spam, URL filtering and other security solutions to close off possible entry points. But in our more mobile-centric world, the biggest threats now come from inside the network.

Infected laptops and smart phones walk right through the front door and connect directly to the network without IT’s knowledge. When you count the attacks initiated from those unsecured user devices, the loss of sensitive data on mobile devices and risky end user behavior, they add up to more than 90 percent of enterprise security breaches.

Lost devices alone pose a serious insider threat.  In 2014 thieves stole 2.1 million smartphones in the United States and another 3.1 smartphones were lost. The missing devices are often all someone needs to gain access to a company’s valuable data and critical business systems. Remember the mobile workers from earlier? The HR director’s laptop could have access to the direct deposit information for the entire company, and the network administrator most likely has the credentials to access 70 percent of the systems in the company.

Stats are only beginning to trickle in that highlight the potential threat of the Internet of Things. Clearly, billions of devices will connect to the Internet in the coming years, but how will they impact the enterprise? According to The Internet of Things 2015 report, the largest adopter of IoT ecosystems will be businesses, not consumers. According to Gartner, businesses are projected to have from 11.2 to 20 billion IoT devices installed by 2020. As smart meters, IV pumps, manufacturing robots, farming equipment, and even conference rooms connect, the network must get smarter and be able to classify and understand the behavior of IoT devices automatically in order to keep the enterprise safe.    

When Context Controls Connectivity
Between the mobile devices already on the network and the IoT devices that are coming, the inside of the network has become a soft underbelly. It demands a different type of security approach—one that starts on the inside and extends beyond the perimeter, and can adapt to the dynamic nature of users—and mobile-oriented threats—those that can originate from anywhere.

The hallmarks of this security approach are: shared contextual information and adaptive controls based on mobility needs. By recognizing that no two users are alike, an adaptive trust approach allows IT to define more personal policies that are mapped to individuals or groups that share similar roles and business objectives.

Going back to our initial trio, the visiting salesperson gets guest access allowing them to reach only the Internet—this after meeting sponsor acknowledgement and device compliance. While guest access is a familiar scenario, context-based policies get more interesting when applied to the two employees. Enforcement can now be based on user role, device ownership, MDM/EMM status, and even location. The network administrator has full privileges from his laptop while he is in any company-owned building. At home, his privileges drop somewhat and they are different for his laptop and his smartphone.

The HR director has full access to all systems when onsite, and when working from home on her laptop. When traveling she is limited to emails and approvals from her mobile device. For vacation, review, or budget approvals, the HR director also has the necessary multi-factor authentication credentials to move the approval into the workflow cycle. This added layer of security ensures that automated processes are only initiated by approved personnel.  If the mobile device is stolen, a thief has no access to the company’s systems or private employee data.

User role, device type, ownership, status and location are some of the relevant contextual information that allows IT to create policies that allow or deny access on a case-by-case basis without leaving the enterprise completely exposed to new threats.

A Secure Network is a Healthy Network

Enterprises that have moved to an adaptive trust approach are responding confidently to the demands of BYOD, cloud, and IoT. Consulate Health Care is among the security thought leaders that have moved to an adaptive trust approach that protects against insider threats. The health care center had hundreds of company-issued mobile devices and thousands of guest devices that connected to the network daily, but security wasn’t air tight.

Consulate wanted to assign policies to the connecting devices based on user role and device that would serve both visitors and employees and protect patient information and other private healthcare data. The new defense approach provides the center with much better security around its intensely dynamic mobile environment.

Prior to establishing a valid connection, corporate-owned and personal devices must meet compliance policies. Devices failing to meet requirements are automatically quarantined and the users are asked to resolve the issues.

Once recognized as compliant, patients, residents and family members can complete the self-enrollment process for Internet access that won’t affect the security of the internal network. However, when the center’s health care employees connect to the network, they are granted access to internal resources. Based on user role and device ownership IT can easily define which resources they should have access to – thus reducing the chance of compromising patient information. Consulate is now much more confident that its data and systems are safe from any insider threats.

When enterprises take an adaptive trust approach, IT can make smarter decisions about how users and devices connect and how their access privileges are enforced.  This is required for today’s mobile workforce – which will continue to push the boundaries of network security for years to come. In this fast-paced, upwardly mobile world, the best defense is being able to adapt.