Why securing end-user devices is a key part of the Zero Trust journey

Author: Jason Fairburn, Co-founder and COO, Devicie

Since the world changed at the end of 2019, one topic dominating the cybersecurity conversation is Zero Trust – possibly because it is being pitched as the holy grail to prevent unauthorised access. Microsoft recently found 96 per cent of security decision-makers say Zero Trust is critical to their organisation’s success. Their primary motivations? To improve their overall security posture and the end-user experience, while staying true to the ‘never trust, always verify’ essence of Zero Trust. 

Zero what? 

While some of the conversations around Zero Trust are helpful, there is also a lot of noise and claims that can confuse the meaning. Zero Trust is not a new concept – practitioners have been talking about and facilitating de-perimeterisation for decades. This just happens to be the current market terminology for it. 

In my opinion, the mixed messaging is sometimes the result of vendors cherry-picking elements of Zero Trust based on their own capabilities. Then there’s the changing threat landscape. Originally, Zero Trust was about keeping the bad guys outside of a defined network. Then along came the cloud and the Internet of Things, quickly making that traditional network perimeter redundant. This in turn has led to the rise of identity-based access, which is now a core component of Zero Trust. 

“No access unless explicitly allowed” 

For the sake of simplicity, I’ll define Zero Trust in five words: “No access unless explicitly allowed”. However, alongside this definition, it’s important to highlight that we are talking about an ideology covering people, technology and process, not any product you can purchase off the shelf. 

It’s worth noting my use of inclusive language. The reason for this is because the success of Zero Trust rides on the ability of people to do their work productively. In other words, security cannot exist without a positive end-user experience. A poor user experience will only see people trying to circumvent the very controls Zero Trust seeks to enforce. 

One element that often gets overlooked is leaving room for the business goals that are enabled by good security. Of course, it is critical that trusted people are allowed access to the resources they need, while not allowing any untrusted person to have access. However, it is now more important than ever – in a hybrid working world – to reconsider how both security and business requirements can be met. 

According to Gartner, 82% of organisations intend to permit remote working some of the time – even after employees start returning to the workplace.  

Future State is what’s missing from the Zero Trust conversation (and it shouldn’t be) 

A successful approach to Zero Trust requires a myriad of elements that have been widely written about and accepted. Rather than reinventing the wheel, I want to highlight something that isn’t talked about enough: that is, how moving to the future state for device security and management can massively uplift organisations towards Zero Trust, while at the same time facilitating both business productivity and a positive end-user experience. 

A critical component of any organisation’s Zero Trust journey is the ability to effectively manage their endpoint fleet. A compromised device, in effect, compromises the whole model. The identity of your user base is even more critical at the end-user due to the ever-increasing possibility of credential theft. 

How Devicie helps facilitate Zero Trust for organisations 

Devicie has many automated capabilities that help organisations close the gap on Zero Trust by uplifting their end-user fleet security in a meaningful way. Some of these include: 

  • Encryption – Devicie ensures local machine encryption is enabled and audited from the time of login 
  • Access controls and privilege management – Devicie ensures connected devices do not have unnecessary privilege, including lateral authentication and movement; this also prevents wide-spread access due to poor practices 
  • Application management – Devicie provides a workflow to authorise applications, making them available from a centralised location, including certificate chaining to prevent non-approved deployments and executions 
  • Patching in a timely manner – This includes patching for both Operating Systems and at the application layer, to leverage rules for access to internal resources and make the most of additional Zero Trust strategies for your organisation 
  • Remove VPN requirements for management – The Devicie platform allows for native management, over the Internet, without any requirement for additional software and/or overheads 
  • Enforce processes for endpoint management – Devicie enforces an approval process and workflow for the management and upkeep of all areas of the endpoint, including policies, procedures, deployments and even new application pilot work 
  • Device hardening – Devicie ensures unnecessary services and functions of the operating system are not left available for exploitation by malicious actors 
  • Consistent deployment – Devicie extends the identity to authenticate the operating system, which means that deployment of necessary agents required for authenticating to the organisation’s apps is both transparent and configured as part of the standard operating environment (SOE). 

As a cloud-native platform, Devicie gets organisations quickly to the future state. The platform onboards employees remotely over the internet and ensures their devices are up to date and configured to suit their mode of working, even before they log in. Patching of applications and operating systems (across Android, macOS, iOS and Windows) are automatically applied to each end-user device, every time an update is made available. Meanwhile, employees can access and install any approved business-line application they need via a company portal, removing the need to grant admin privileges. Not only does this provide the much-needed balance of security and productivity, but it affords organisations an easy way of meeting the Essential Eight, CIS, NIST and other frameworks.  

In conclusion, as with any security control or approach, when working towards Zero Trust, every organisation needs to consider all prerequisites and prioritise them based on the level of risk they are willing to accept. Devicie is certainly not claiming to be the holy grail, but it is a fantastic tool that can close significant gaps on your Zero Trust journey. 

If you are interested in talking to us about your end-user device security or you would like a demo of the Devicie platform, please get in touch – we’d love to help. 

Related resources

How device management can give you a competitive advantage

How device management can give you a competitive advantage

We’re looking at how organisations can lift their device management game to provide a sustainable competitive advantage.

Read more

Risky.Biz product demo: Devicie

Devicie CEO Martin McGregor gives a comprehensive product demo of the Devicie platform on Risky.Biz.

Read more
critical infrastructure reforms

Mission Critical: Takeaways from the Critical Infrastructure reforms

One of the most talked about security topics of late has been the critical infrastructure reforms. Here are our takeaways.

Read more