By Deepak Mishra
The increased use of cloud applications and the evolving modern work environment have significantly raised the risk of threats to all endpoints. Implicit trust in these endpoints is no longer feasible, as malicious entities can easily exploit it. Consequently, endpoints become prime targets for attackers looking to exploit gaps in protection measures and compromise organizational security. Focusing solely on securing managed devices is insufficient to address threat exposure and implicit trust issues. It is crucial to apply security measures and maintain visibility for unmanaged devices that access corporate resources. Zero trust is a security paradigm that replaces implicit trust with explicit trust by continuously assessing risk and trust levels based on identity and context.
To mitigate increased threat exposure and implicit trust in endpoints within modern work environments, security and risk management leaders should extend zero-trust principles to endpoints accessing corporate resources. They should continuously verify device, user, configuration, and identity permissions to reduce the attack surface and provide secure, limited access to resources on unmanaged devices using technologies such as enterprise browsers, clientless ZTNA, and virtual desktop infrastructure (VDI)/desktop as a service (DaaS).
Security and risk management (SRM) leaders responsible for endpoint security must take into consideration the following steps while implementing zero-trust principles on endpoint devices.
Assess Current Security Systems First
Zero trust is not merely a technology or tool; it is a strategy that transitions from an implicit trust model to an explicit trust model, where each access request is authenticated and validated. Zero trust reduces the attack surface through risk-based adaptive access and continuous verification. Organizations must begin their zero trust journey by aligning their security strategy to zero-trust principles.
To transition to a zero-trust posture, security leaders should assess whether their organization has the necessary infrastructure and tools. Start by continuously assessing existing infrastructure and security tooling through the following steps:
- Inventory all endpoint assets accessing corporate resources, including managed and unmanaged devices.
- Compile a list of approved applications and installed applications on all managed devices.
- Enforce built-in security features like host-based firewalls, authentication, access control, device control, and encryption on managed devices.
- Remove persistent admin rights on endpoints for end users, granting limited admin rights only when necessary.
- Document and remove persistent admin rights on managed endpoint devices, granting admin rights with limited permissions only when necessary.
- Identify and document the existing endpoint security and management technologies already deployed within the organization, along with their respective capabilities and functionalities.
Evaluate the configuration baselines of security controls for effectiveness against zero trust using industry frameworks such as the Center for Internet Security. Zero trust is a continuous improvement program; organizations should monitor the effectiveness of current investments and fine-tune processes and controls over time to drive maturity.
Integrate EPP and UEM with Other Security Tools
Integrating endpoint security and management tools is crucial for successfully implementing a zero-trust approach. Combining the endpoint protection platform (EPP) and unified endpoint management (UEM) provides unified endpoint security (UES) and allows organizations to achieve comprehensive visibility and better control on managed endpoints. This visibility encompasses device health, operating system and software configurations, and user and applications behavior. With a holistic view of endpoints, organizations can better understand their risk exposure and make informed decisions to mitigate potential threats.
Include Unmanaged Devices in Zero-Trust Strategy
Accessing corporate applications from personal devices is becoming the norm. Users expect a flexible working environment, connecting to SaaS-based applications from anywhere at any time. However, the security tools and controls used on managed devices cannot be implemented on unmanaged devices. Organizations should account for these unmanaged devices in their zero-trust strategy and establish distinct policies for corporate-managed devices.
Unmanaged endpoint devices, often personal devices used by employees or third-party contractors, are not directly controlled or secured by the organization. In the case of unmanaged devices, zero trust shifts the focus to identity verification, with secure and strict access control of resources and data, regardless of the device’s ownership or location.
The Necessity of Integrating Zero-Trust with Other Security Strategies
A zero-trust approach alone cannot provide complete protection and is not a comprehensive security strategy. Therefore, integrating a zero-trust strategy with other security measures can compensate for its limitations. The rapidly evolving cyberthreat landscape necessitates adaptable security measures. By combining various strategies, organizations can swiftly respond to new types of attacks.
Different strategies address different risk areas on endpoints. For example, patch management mitigates the risk of software vulnerabilities, while a zero-trust strategy manages the risk of unauthorized access. Combining these strategies enables more effective overall security risk management.
(The author is Deepak Mishra, Sr Director Analyst at Gartner, and the views expressed in this article are his own)