August 28, 2021
Zero Trust Requires Continuous Data and Endpoint Telemetry
Every once in a while, an industry term will get overused by marketing to the point of becoming a cliche. I think “Zero Trust” may have reached this threshold.
In some ways, I understand why this is happening. Security perimeters have become obsolete as people use mobile devices and cloud applications to work from anywhere. Zero Trust — the idea that no entity should be given access until their trust level is verified— has been rapidly introduced as a result of the pandemic.
The issue is that most attempts at achieving Zero Trust access today are a patchwork of disparate products from different vendors connected to virtual private networks (VPN), with rudimentary on-off access controls based on limited visibility. I believe a modern approach to Zero Trust needs to take into account the fact that data has moved to the cloud and users are working from anywhere, on any device and connecting over their own network.
This is why I’m super excited by our latest milestone — we’ve expanded Lookout Continuous Conditional Access (CCA) by integrating our security and access platforms. This enables organizations to make detailed and ongoing risk assessments of endpoints and users and apply that information to very granular access controls that ensures business continues securely.
Pandemic response and the current state of the art
I know most of us are tired of talking about the impact of the pandemic, but it was a watershed event in remote working. Most organizations I speak to had to rapidly extend their existing enterprise apps to all their employees, remotely. And since many have already embraced the cloud and had a remote access strategy in place, typically a VPN, they simply extended what they had to all users.
CEOs and COOs wanted this to happen quickly and securely, and Zero Trust was the buzz word that most understood as the right way to make this happen. So vendors all started to explain how their widget enabled Zero Trust, or at least a part of it.
But remember, the idea of Zero Trust was conceived way back in 2014. A lot has changed over the last seven years. Apps and data that have moved to the cloud do not adhere to corporate domain-oriented or file-based access controls. Data is structured differently or unstructured. Communication and collaboration tools have evolved. And the endpoints people use are no longer limited to corporate-issued and managed, domain-joined Windows laptops. Equally the types of attacks we are trying to stop have evolved. So our concept of Zero Trust has also had to evolve as well.
Extending VPNs was the default response to remote work and many organizations included it as part of their Zero Trust strategy. But bolting two-factor authentication and network access control (NAC) onto VPN is the opposite of least-privilege access. NAC is a 2-decade-old technology that only detects whether an endpoint is managed and has antivirus and VPNs gives anyone that connects unlimited access.
It starts with better telemetry
Many access products on the market today check security postures of users or endpoints at the moment they connect to the infrastructure. But that’s not enough. Just because a user remembers their password, provides a second factor of authentication and uses a managed device with antivirus, doesn’t mean they are trustworthy.
To make smart access decisions that safeguard sensitive data and don't hinder productivity, your cloud security best practices need to include deep visibility into all endpoints, data and apps within your organization.
Device telemetry:
To deploy a modern Zero Trust architecture, you need to track the constant change in risk levels of all user devices, including iOS, Android and Chrome OS devices. These endpoints are the leading targets for advanced persistent threat (APT) reconnaissance and attacks that steal login credentials due to the effectiveness of mobile phishing. Mobile devices are rarely connected to enterprise perimeter security as they are usually on cellular or public or home Wi-Fi. They also frequently have OS and app vulnerabilities that open doors for exploitation and data leakage.
User behavioral analytics:
Users, in many ways, are just as complex and require continuous risk assessments. For example, it’s critical to understand typical user behavior for anomaly-based detection. Since access to all apps and data can occur over our access platform, we have in-depth knowledge of users and their usual activities. We can use this to detect anomalous behavior that may indicate theft of their credentials or an insider threat and control access accordingly.
Data sensitivity:
Continuous assessment of your users and endpoints is essential. But the flip side of that is knowing the sensitivity of the data they access. To ensure your workers have what they need to stay productive while also safeguarding sensitive data, policy enforcement should be able to map risk with data sensitivity.
Check out Lookout CCA in Action
We integrated them into a single platform
By integrating our security and access platforms we are able to extend Lookout CCA and provide a modern approach to Zero Trust. With insights into endpoints, users, networks, apps and data, we provide unprecedented visibility to organizations, enabling them to effectively detect threats and anomalies, support compliance requirements and ultimately stop breaches.
From an endpoint perspective, CCA enables your policies to take into account all the typical endpoint indicators such as malicious apps, compromised devices, phishing attacks, device and app vulnerabilities. Our access platform then adds indicators of anomalous user behavior such as large downloads, unusual access patterns and unusual locations. And our data loss prevention (DLP) capabilities enables us to assign sensitivity to what the user is attempting to do.
All of this telemetry can then be used to respond appropriately. We can restrict access to sensitive data, request step-up authentication, or take specific action on the content itself, such as masking or redacting certain keywords, applying encryption and adding watermarking. And in the event that what is occurring is a breach — we can shut down access altogether.
Let me give you an example: an employee who uses their personal smartphone for work may have a consumer app that has servers in a foreign location banned by regulations to hold certain data. Or maybe that user’s phone has an older operating system with known vulnerabilities.
Lookout CCA would be able to detect the app and the servers it connects to. The organization could write a policy that revokes download privileges for any endpoint with that risky app, so regulated data cannot be exfiltrated. Alternatively, the organization could dictate that any regulated data has to be encrypted by enterprise digital rights management (EDRM) so that even if they get downloaded or shared, only authenticated and authorized users can have access. Lookout will also send remediation instructions to the user, telling them that they will regain access once they install the app.
In short, we're in complete control from endpoint to cloud. That’s the benefit of an integrated security and access platform, and that’s the way we believe a modern Zero Trust architecture should be designed.
To learn more about our endpoint-to-cloud solution, check out our platform page.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.