When CISOs look out over the vast landscape of private applications, data, and systems they must safeguard, they see a terrain littered with unmanaged devices.
Why do so many devices fly under the radar of IT security these days? In 2019, just before the world turned upside down from the pandemic, a Forrester survey found that 69 percent of respondents claimed half or more of the devices on their networks were either unmanaged or IoT devices outside their visibility. In the same study, 26 percent indicated they had three times as many unmanaged devices as managed devices on their networks.
But as Covid-19 sent workers home in wide swaths, the number of devices exploded — and organizations like NYC Cyber Command found themselves facing a sevenfold increase in devices they must manage and a corresponding expansion of their attack surface. Remote users may be connecting to applications through an undeclared personal device. Or potentially, they do not want or have the ability to deploy a VPN agent or any kind of client to those devices.
The pandemic, though, isn’t the only culprit behind the proliferation of unmanaged devices — as mergers and acquisitions tick up, so do the number of unmanaged assets, amplifying the security challenges. IT teams not only have to deploy agents, they also need to keep those agents up to date. And obviously, if they don’t do that, those agents could be rife with technical vulnerabilities that can incur risk. Another issue centers on the increased number of organizations using third parties to do work for them. And again, those third-party contractor partners are not going to be using managed devices configured by another organization. But in order to do business with that organization, the third-party contractors need access to a certain subset of applications.
The upshot? Organizations are lacking information on the devices being used, but still need to provide access to the applications and data needed by workers in order to perform their jobs, often without the benefit of security services tied to those users’ devices.
While overwhelmed security teams struggle to gain visibility into and control over the devices in their environments, bad actors have seized a golden opportunity. Left unchecked, unmanaged devices pose great — and preventable — danger to corporate networks. Risks include:
- Increased likelihood of data leaks
- Networks open to unauthorized access
- Difficulty in regular patching, which might even be impossible
But even as danger looms, many organizations aren’t acting quickly enough — or at all.
Data from ZK Research shows that nearly half of IT teams are simply guessing as to what devices are on their networks, or they have tried to “MacGyver” existing solutions to gain visibility into them. What is clear is that those approaches don’t work. Simply extending the capabilities of VPNs, once a stalwart way to protect access from managed or unmanaged devices, just doesn’t cut it. At the onset of the pandemic, for instance, VPNs were overwhelmed, unable to accommodate the increase in traffic imposed by an exploding remote workforce. They turned off users, who happily worked around the protections provided by VPNs.
Additionally, VPNs just don’t provide sufficient security — they work off of the principle that once a user/device is in, it’s in and trusted, which is far from a safe and managed environment. In that scenario, organizations don’t know if malware has already compromised a device. So threat actors could then exploit a connection type that has been granted access. As soon as a user logs in, potential attacks have the full keys to the kingdom and can run roughshod throughout whatever applications or networks the VPN has granted access to.
Part of the answer to providing secure access to unmanaged devices lies with Zero Trust Network Access (ZTNA), a key component of the Secure Access Service Edge (SASE) framework, which is critical to modern work.
ZTNA can be used to redefine remote work, assuming that all users and devices are suspect (until authenticated), then authorizing connection only to the applications those users need. Coupled with isolation technology, users can be separated from private applications — ensuring that connections are authenticated with embedded security controls. Threat actors are then unable to get to user devices and their applications, while security teams can gain granular control over access — they can limit users’ activities within apps as well, allowing users to read only but not upload or download data. For simplicity, users can be provided with a central URL that provides access only to applications they need to do their jobs. This strategy makes the user experience easier and dramatically lowers the attack surface.
When it comes to securing unmanaged devices, keep the following principle in mind:
Getting there requires a plan.
Whether security teams are trying to wrangle unmanaged devices spawned by the pandemic — perhaps a child’s laptop used by a contractor or a smartphone used by an executive to access corporate private applications and data — or they are trying to manage devices used by employees acquired through M&A or devices that popped up as a result of partnerships, these teams can’t afford to manage “blind.” Taking the following steps can help manage the unmanaged.
- Create a strategy that reflects what work looks like going forward.
Organizations talk about a hybrid work strategy. Define what that means and how to get there.
- Set security policy.
Put down parameters around protecting users while providing access to applications they may need to do their jobs. Include guidance on how policy will be maintained. Ensure that a ZTNA solution has tightly integrated security controls that are on at all times while users are accessing applications.
- Understand what’s out there.
It’s important to assess the devices and assets — or likely assets — in an environment. Each organization can have a wide range of private applications they need to provide access to, so it’s critical to have a full inventory of them in order to provide ZTNA access to all of them. If there has been a recent merger or acquisition, try to understand what applications and data came along with the deal. Most organizations have a roadmap for acquisitions — how they fit into a company’s overall strategy. But other considerations also go into M&A that often go overlooked — like how to integrate the IT systems and all the included devices.
- Seek a solution that doesn’t require jumping through hoops.
Look for something that doesn’t call for making certificate changes or alterations to DNS records.
With an eye on the future, security leaders can easily provide secure access to unmanaged devices in a way that accommodates both IT teams and users. The only unknown, then, becomes how quickly they want to get there.
Learn about new insights aimed at establishing secure network connectivity to employees, no matter where they’re connecting from or what they’re connecting from. Download this SDxCentral Industry Guide on ZTNA.