Unmanaged Devices

Why is it important to extend zero trust to unmanaged devices?

We live in a connected world where enterprises no longer operate in a silo. Running a business today requires close collaboration with external organizations – such as technology partners, suppliers, logistics companies and freelancers among others. Unfortunately, giving these collaborators access to your business systems and data massively extends the threat surface to entities that you have no control over – giving threat actors more avenues for accessing your critical systems.

Extending zero trust to unmanaged devices forces these entities to confirm their identity before and during connecting to your systems – preventing threat actors from gaining access to your network through these security gaps.

What’s a good example of this?

Think of an insurance agency working with a customer to file a claim. In addition to internal users, customers, the claimant, adjusters, auditors and a myriad of other stakeholders have to either provide information or access information in order for that claim to be processed accurately and in a timely manner.

Doing this manually over email, FTP or the phone is labor intensive, introduces the possibility of human errors and, frankly, takes a lot of time. Digital transformation over the past several years has streamlined the process by giving these stakeholders access to internal systems through a web-based portal. But, each of these connections provides an opportunity for an enterprising malicious actor that has already breached a partner’s system to spread throughout the insurance company’s network.

Zero trust ensures that all entities – whether they belong to the insurance agency or not – continuously prove trustworthiness to access any system on the network. Extending zero trust to unmanaged devices enables this new collaborative way of working without adding security risk or IT overhead.

Why can’t existing security solutions protect unmanaged devices?

Traditional security tools were designed for the hub and spoke model where a few entities outside a hardened firewall connected to the network through a central control point. All traffic would flow back to the data center where it could be monitored and policies would be applied. Organizations just had to authenticate the entity at the first touch and then not have to worry about monitoring or securing east-west traffic.

However, as we have already established, we don’t live in that world anymore. Not only are internal users, applications, devices and data spread out, external entities spread around the world need access as well. The inability to continually authenticate and restrict access on a granular level is a major security gap that threat actors are using with a high degree of success.

So, what is the right approach to extending zero trust protection to unmanaged devices?

A clientless approach managed from a central control point allows you to extend zero yrust to unmanaged devices in a non-disruptive way. There’s no need to ask partners to install a software client or give up control over their own device. Yet, you gain complete visibility into who the entity asking for access really is and what they are doing. From there, you can provide granular access based on your existing zero trust policies.

Wait, wouldn’t intercepting traffic like this slow performance?

Yes, but only if you routed traffic through a static control point such as a VPN or on-premises firewall. Zero Trust Network Access (ZTNA) uses the public internet to gain this visibility and control – allowing you to continually monitor identity and behavior in order to assess trustworthiness throughout the entire engagement. And, because the cloud is ubiquitous, you can implement zero trust on a global scale wherever you do business without having to worry about latency or bandwidth constraints.

Can this zero trust approach be used to extend protection to other unmanaged devices–such as employees’ personal devices?

Yes, that is the beauty of a clientless, cloud native approach. You only need one security system to cover any type of device – whether they are corporate devices, your employees’ personal devices or a third-party entity. You don’t need to set up separate systems. A clientless approach through the cloud covers them all and provides a single management plane through which you can create, update and apply granular zero trust policies.

How can Menlo Security extend zero trust to unmanaged devices?

Rather than access the original application, the Menlo Secure Cloud Browser creates a rendered display of the application on the endpoint device directly in the user’s browser. There is no inherent trust of web traffic and interactions. As a result, this shields the application from parameter tampering, web scraping, API abuse, and a host of other problems. Even if the endpoint somehow gets compromised, the threat actor cannot get direct access to HTTP headers, content, and the application. Instead, all malicious activity is executed in the Menlo Secure Cloud Browser instead of the endpoint browser.. In addition, to easily support remote access and/or BYOD users, Menlo Secure Application Access has zero touch and agentless deployment for browser-based applications. This agent-free, easy deployment helps organizations: 

• Quickly provision and deprovision access to different applications. This can be done for users in a very secure manner without changing network topology or firewall rules.
• Provide secure access with lower cost and maintenance because there’s no need for hardware, enabling BYOD. 
• Scale quickly with organizational needs because secure access can be deployed within minutes.
• Reduce IT complexity because there’s no need for DNS record updates, no need to import certificates, and no agent is required.