SAN DIEGO — Remote work is a reality of the modern business landscape. But backend technologies that support this simple concept aren’t always easy to implement.
At Jamf Nation User Conference 2022, an annual event hosted by Apple management software and services provider Jamf, expert speakers and session leaders highlighted the importance of zero trust. The Zero-Trust Security Model – an approach to end-user security that verifies and enforces users through a default authentication process rather than trusting a device, set of user credentials user or any other component – is particularly critical in a remote working environment.
The latest features in Jamf’s Apple management software suite can help organizations adopt a zero-trust architecture. But organizations must invest significant resources and time to implement and maintain zero trust.
“Zero trust is the way of the future, but it’s not just a switch you can flip,” said Chris Cashman, IT and security manager at Allwhere, a management services provider. material inventory. “Zero trust will be difficult to implement until it is truly transparent.”
Why is zero trust important?
When all users were in the office, there was an inherent authentication factor: the location of a user’s connection to the network. When remote working became the norm in many organizations, IT teams needed to ensure that all outside users trying to access corporate data went through the proper authentication channels. An attack that bypasses these protections can lead to devastating results if zero trust is not in place.
Daniel Williams, internal systems manager at an ISP in Tennessee, once received a support call from a user who was having trouble accessing his files.
“I ran upstairs to the server room and manually unplugged all the power outlets to turn everything off because I realized we were in the middle of an attack,” he said. -he declares.
Daniel WilliamsResponsible for internal systems at an ISP
Williams’ quick response saved his organization from unknown problems. But organizations don’t want to rely on such heroic acts to protect their data.
“Zero trust is what we should have done as administrators all along,” Williams said. “There should always be siled access to data and no assumption that any device or user is secure.”
A zero-trust authentication approach can prevent security breaches from escalating to affect credentials that have access to an organization’s entire backend system.
The long road to zero trust
The adoption of Zero Trust is growing in the company. But IT teams face challenges when trying to implement a Zero Trust architecture.
Adopting Zero Trust will take time
Moving from a VPN security framework to zero trust is like moving from an on-premises management platform to a cloud-based one. The post-transition benefits are clear and undeniable, but getting there can tie up much of an IT department’s most valuable resource: time.
Additionally, zero trust is not something IT can implement without a consistent and hands-on approach to maintenance. With each new operating system and application update for Apple devices, Jamf administrators should ensure that they enforce the appropriate minimum state of each application and operating system.
Adherence and awareness of end users
Zero-Trust authentication should not hinder productivity. In some cases, this can actually simplify the authentication process while helping with security posture.
For example, consider a user with multiple MFA login prompts at the start of a work session. These can be for desktop, a VPN, Microsoft 365 suite, and even custom or legacy apps. Excessive prompts to authenticate can lead to alert fatigue, where a user becomes so accustomed to approving many prompts that they stop paying close attention to the validity of each authentication attempt.
The goal should be to explain to users why alerts occur and how to recognize fraudulent prompts while limiting the number of such prompts. Alerts can come from authentication methods such as SMS messaging, unique email links and biometric factors – and these are not always without risk.
“There are so many factors you can authenticate with beyond 2FA via SMS, and 2FA enables SMS-based hacking attempts like SMS bombing,” Cashman said.
Not all authentication processes even need to be user-facing; this can happen behind the scenes without any user interaction. IT teams can configure zero-trust authentication to recognize factors such as user location and login time. This can reduce the number of prompts a user receives, resulting in a positive UX. IT can also implement automation that can verify users without them taking any action.
How Jamf Supports Zero Trust
The building blocks of zero-trust security have been around for a long time. But at JNUC 2022, a few innovations and integrations for Jamf customers stood out.
Jamf Pro, for example, can apply Jamf Private Access Controls to block compromised users and devices when a compliance issue is present. Apple administrators using Jamf can also prevent devices that don’t have data encryption from accessing corporate apps. Jamf Pro and Jamf Private Access rely on third-party cloud identity management technologies already present in an organization, as Jamf does not offer a complete identity platform. Vendors such as Okta, VMware, Google, Microsoft, and IBM offer identity management products that provide cloud-based authentication for all enterprise resources.
Additionally, Jamf announced new integrations with Google and Microsoft to enable zero-trust access and compliance controls. In early 2023, Jamf will support Google’s BeyondCorp Zero Trust Framework on iOS devices, a feature already available to macOS administrators.
Checking the status of an Apple device is central to Jamf administrators’ ability to enable non-trust access. Later in 2022, Jamf will release its Microsoft Device Compliance integration for macOS, which is already available for iOS devices. This will give IT admins the flexibility to define compliance states within Jamf Smart Groups – a classification that allows IT to apply deployment and update rules to groups of devices in bulk – to determine the state a device must be in to access corporate apps and data. This integration will also include a Device Risk Score, a metric based on several factors that can help assess which devices are the most dangerous.
Zero trust is not for everyone – yet
The benefits of zero-trust architecture are clear, but it’s not a universal answer for all organizations. Some organizations may not have the IT staff to create and maintain a zero-trust architecture. Others may find it contrary to their culture.
“We have a whole company philosophy around trusting our employees,” said Phil Staudacher, senior IT engineer at CMR Surgical. “We give them advice and end-user training to keep our devices safe.”
Highly regulated industries may need to take the zero-trust approach, but Staudacher doesn’t see it as a universal necessity, he said.
“We would much rather observe and detect than intervene with a hammer,” he said.
Zero trust creates barriers between users and the data they need, but organizations can compensate for these barriers with less invasive authentication methods whenever possible.
According to a July 2022 Forrester Research study, only 6% of companies have fully implemented zero trust. Despite this, a June 2022 ESG study reported that 90% of IT security professionals surveyed rank zero trust as one of their top three priorities from a security perspective.
The road to full adoption of zero trust is long and potentially difficult, not to mention the task of maintaining this architecture over time and as threats evolve. But many organizations start this journey with guidance from their technology vendors.