Zero Trust Applied to the Mobile World


Posted on by Gema Howell

Everyone in the cybersecurity community is talking about zero trust, and although it is not a new concept, there is renewed interest in implementing zero-trust principles. This introduces challenges for an organization’s mobile administrators. But what does zero trust really mean for mobile?

In May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity, requiring the federal government to develop a plan to implement zero trust architecture (ZTA) across agency infrastructure, which includes mobile devices. This new development has spilled over into industry and created a lot of activity around zero trust, but not necessarily with clarity on how to incorporate it into current mobile infrastructure.

Due to the pandemic, many employees have transitioned to remote/telework options to accomplish their daily work activities. The portability of mobile devices makes it easier to respond promptly to emails, attend virtual meetings, and use special work apps from anywhere, even in your own home. They also serve as backup devices when the primary computing devices are not functioning properly at remote sites.

In this new environment, mobile devices are now another endpoint connected to enterprise resources and can put the entire enterprise at risk if compromised or stolen. ZTAs can minimize this impact by applying cybersecurity practices that assume no implicit trust, constant monitoring, and restricted access to the enterprise resources based on the criticality of resources and user and device identity and posture.

Here’s how to get started

When considering implementing a ZTA, it helps to first clarify the fundamental tenets. NIST Special Publication 800-207 Zero Trust Architecture defines the basic zero-trust tenets as the following:

  1. All data sources and computing services are considered resources.
  2. All communication is secured regardless of network location.
  3. Access to individual enterprise resources is granted on a per-session basis.
  4. Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
  5. The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
  6. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
  7. The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

The good news

Some of the zero-trust tenets are common cybersecurity practices that are already in place in most organizations. Many organizations may not realize they are already applying several zero-trust principles; they may just need to be integrated with new systems with additional features that may be missing from the current architecture.

The impact on the mobile world

A secure mobile infrastructure consists of many components that align with current cybersecurity practices. Recently, the NIST National Cybersecurity Center of Excellence (NCCoE) published NIST SP 1800-21 Mobile Device Security: Corporate-Owned Personally-Enabled, which describes some of these components, including enterprise mobility management (EMM) / unified endpoint management (UEM) solutions, mobile threat defense (MTD) / endpoint security tools, and mobile application vetting services. The purpose of this special publication is to demonstrate how organizations can equip themselves with the tools they need to address their mobile security concerns.

In addition, the NCCoE is working to provide examples of ZTA, including the management of enterprise mobile devices. This ZTA project will demonstrate how to use several components described in NIST SP 1800-21, along with other components and features, to apply ZTA principles to an organization’s mobile infrastructure. These example solutions will include commercially available products for use by industry and government. With an eye toward the future, the hope is that this example solution will provide a clear roadmap for the cybersecurity community as they develop their own mobile device security strategies that include robust ZTA principles.


Contributors
Gema Howell

Computer Scientist, Applied Cybersecurity Division, National Institute of Standards and Technology (NIST)

Mobile & IoT Security

endpoint security mobile device security mobile security zero trust

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community