Data Security Compliance in the Age of “Work from Anywhere, on Any Device”
Originally published by Ericom here.
Written by Peter Fell, Ericom.
Customer protection and data security regulations vary significantly across industries and compliance requirements vary with them. Rigorously controlling sensitive data and safeguarding it against misuse, exposure and exfiltration, however, is a baseline requirement for virtually all industries – healthcare, financial services, education, utilities and many more.
Compliance has never been simple but today it is more complex than ever before. The pace at which regulations are issued and updated has vastly accelerated, spurred by well-publicised cyber breaches and data leaks. In this work-from-home era, the increase in outsourcing and remote work, spurred by financial savings and simplified staffing, have made compliance even more complex. Numerous breaches have been traced to remote employees and 3rd party workers, who often access organisation resources and apps via their unmanaged personal devices.
Faced with the risks, IT and security professionals strongly prefer to lock everything down. Ideally, to bring users back to the office. Failing that, they’d opt for access to be limited to managed devices. The business side of most organisations, however, is adamantly in favour of maintaining the flexibility and cost savings associated with remote access and allowing access from all users from anywhere, so that the business can continue without these barriers.
These conflicting positions and trends put compliance professionals in a tough spot. Regulations are being strengthened, business practices are growing more inherently risky, and the fragmentation of the application environment, combined with the shortage of cybersecurity professionals and acceleration of update/patch cycles, makes compliance ever more difficult to achieve and maintain.
The unmanaged device conundrum
With organisations increasingly moving to cloud operations, the ease with which corporate apps can be used from anywhere, on any device, has increased exponentially and along with it, the pressure on compliance teams. Whether the unmanaged endpoints are BYOD devices used by employees or laptops used by 3rd party or gig workers, without device-based controls, it’s a significant challenge to enforce essential elements of compliance:
- Providing secure user access to corporate apps
- Controlling and managing endpoint risk posture without installing client software
- Preventing users from downloading sensitive data onto untrusted devices
- Protecting corporate apps from exposure to device-mediated risks
- Preventing threat actors from accessing corporate apps via untrusted devices.
Without controls on a user’s device, sensitive data from apps – even those requiring strong authentication – may be downloaded and stored on the device, in clear violation of regulations governing industries such as healthcare and financial services. Unmanaged devices may be infected with malware that enables a threat actor to exfiltrate data from enterprise or SaaS apps. Or malware on an unmanaged user device may be uploaded to an app when the user connects. In a recently exposed example, an Office 365 flaw could allow a logged-in user’s web session to be hijacked, enabling threat actors to change SharePoint settings and encrypt files in a ransomware attack.
While in-app controls may address some of these issues, procedures for promptly updating policies and patching apps are notoriously lacking or weak in most organisations. Moreover, the web application firewalls (WAFs) that organisations depend on to keep their apps safe have proven to be insufficient for the task. Recent studies by organisations like Ponemon Institute have found that organisations are frustrated with their WAFs, citing the large numbers of false positives they generate while failing to issue alerts for the many actual attacks.
Compliance for app access from unmanaged devices
To adequately address the operational, financial, security and compliance needs of modern distributed organisations, compliance professionals and the security staff that support them need to:
- Enable users – employees and 3rd parties -- to access applications from unmanaged devices in compliance with industry regulations (contractors, partners accessing from unknown or internally unmanaged devices)
- Enforce compliance without requiring users or IT staff to install software, agents or plugins on BYOD devices
- Ensure that device posture requirements are met -- AV versions, software that is running – or alternatively, mitigating risks resulting from requirements not being met
- Provide a simple, seamless user-application experience, without degradation due to security measures
- Manage and enforce security policies centrally, to ensure that they are applied regardless of who the user is, what device they are on, and from where they connect
- Document compliance with detailed audit trails and reports of attempted breaches, including attempts to download sensitive information that were blocked (who, where, when, etc.)
Because unmanaged devices cannot be trusted, a Zero Trust approach is essential when considering a secure way to enable access to apps and internal resources. That means that rather than trying to ascertain whether an unmanaged device is safe enough to allow its user to access sensitive information, access modalities should ensure that data and apps are protected despite the assumption that the device is NOT safe.
Fortunately, Zero Trust solutions that provide secure access solutions for 3rd party contractors and employees with unmanaged devices are now available. You’ll want to look for products that allow you to control access to your applications and to restrict user’s data sharing privileges by setting user-level policies on which apps they can connect to and how they use them. Finally, consider the challenges of implementing controls on unmanaged devices and look for clientless solutions so you don’t need to install –and update – software on endpoint devices.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.