Alex - stock.adobe.com
SAN DIEGO -- Remote work is a reality of the modern enterprise landscape. But the backend technologies that support this simple concept aren't always straightforward to implement.
At the Jamf Nation User Conference 2022, an annual event hosted by Apple management software and service provider Jamf, the expert speakers and session leaders underscored the importance of zero trust. The zero-trust security model -- an approach to end-user security that verifies and runs users through an authentication process by default rather than trusting a device, a set of user credentials or any other component -- is especially critical in a remote work environment.
The newest features from Jamf's suite of Apple management software can help organizations adopt zero-trust architecture. But organizations must invest significant resources and time to implement and maintain zero trust.
"Zero trust is the way of the future, but it's not just a switch you can flip," said Chris Cashman, head of IT and security at Allwhere, a zero-touch inventory management service provider. "Zero trust will be difficult to implement until it can be truly seamless. "
Why is zero trust important?
When all users were in the office, there was an inherent authentication factor: the location of a user's login to the network. When remote work became the norm in many organizations, IT teams needed to ensure that all outside users trying to access company data went through the proper channels of authentication. An attack that bypasses such protections can lead to devastating results if zero trust is not in place.
Daniel Williams, head of internal systems at an ISP in Tennessee, once got a support call from a user that was having trouble accessing their files.
"I ran upstairs to the server room and manually pulled every power plug to shut everything down because I realized we were in the middle of an attack," he said.
Daniel WilliamsHead of internal systems at an ISP
The fast response from Williams saved his organization from unknown amounts of trouble. But organizations don't want to rely on such heroics to protect their data.
"Zero trust is what we should have been doing as administrators all along," Williams said. "There should always be siloed access to data and no assumptions that a device or user is secure."
A zero-trust approach to authentication can prevent security breaches from escalating to affect credentials that have access to an organization's entire backend system.
The long road to zero trust
Zero trust adoption is growing in the enterprise. But there are challenges that IT teams face as they try to implement zero trust architecture.
Zero trust adoption will take time
Moving from a VPN security framework to zero trust is like transitioning from an on-premises management platform to a cloud-based one. The post-transition benefits are clear and undeniable, but getting there can take up a lot of an IT department's most valuable resource: time.
Additionally, zero trust isn't something that IT can implement without a consistent, hands-on approach to maintenance. With each new OS and app update for Apple devices, Jamf administrators must ensure they enforce the proper minimum state of each application and OS.
End-user buy-in and awareness
Zero-trust authentication shouldn't hinder productivity. In some cases, it can actually simplify the authentication process while still helping with the security posture.
Consider an example of a user with several MFA login prompts at the beginning of a work session. These could be for the desktop, a VPN, the Microsoft 365 suite and even custom or legacy applications. Excessive prompts to authenticate can lead to alert fatigue, where a user is so used to approving numerous prompts that they stop paying close attention to the validity of each authentication attempt.
The goal should be to educate users on why the alerts happen and how to recognize fraudulent prompts while limiting the number of those prompts. Alerts could come from authentication methods such as SMS messaging, one-time email links and biometric factors -- and those aren't always risk-free.
"There are so many factors that you can authenticate with beyond 2FA via SMS. In fact, these weaker 2FA methods have their own vulnerabilities such as SMS and prompt bombing," said Cashman who worked at Apple before his current position at Allwhere and has experience working with Jamf products.
Not every authentication process needs to even be user-facing; it can happen behind the scenes without any user interaction. IT teams can set up zero trust authentication to recognize factors such as user location and time of login. This can reduce the number of prompts a user receives, which makes for a positive UX. IT can also implement automation that can verify users without them taking a single action.
How Jamf supports zero trust
The building blocks of zero-trust security have been on the market for a long time. But at JNUC 2022, a few innovations and integrations for Jamf customers stood out.
Jamf Pro, for instance, can enforce the Jamf Private Access controls to block compromised users and devices when a compliance issue is present. Apple administrators using Jamf can also prevent devices that don't have data encryption from accessing enterprise applications. Jamf Pro and Jamf Private Access rely on third-party cloud identity management technologies already in an organization because Jamf doesn't offer a full identity platform. Vendors such as Okta, VMware, Google, Microsoft and IBM offer identity management products that provide cloud-based authentication across business resources.
Additionally, Jamf announced new integrations with Google and Microsoft to enable zero trust access and compliance controls. In early 2023, Jamf will support Google's BeyondCorp zero trust framework on iOS devices -- a feature already available for macOS admins.
Verifying the state of an Apple device is central to Jamf administrators' ability to enable zero-trust access. Later in 2022, Jamf will release its Microsoft Device Compliance integration for macOS, which is already available for iOS devices. This will give IT administrators the flexibility to define compliance states within Jamf Smart Groups -- a classification that allows IT to apply deployment and update rules to groups of devices in bulk -- to determine the state a device must be in to access corporate applications and data. This integration will also include a device risk score -- a metric based on several factors that can help assess which devices are the most dangerous.
Zero trust is not for everyone -- yet
The benefits of zero-trust architecture are clear, but it isn't a universal answer for all organizations. Some organizations may not have the IT staff to build and maintain zero-trust architecture. Others may find it clashes with their culture.
"We have a whole company philosophy around trusting our employees," said Phil Staudacher, senior IT engineer at CMR Surgical. "We give them guidance and end-user training to keep our devices secure."
Highly regulated industries may need to adopt the zero-trust approach, but Staudacher doesn't see it as a universal necessity, he said.
"We would much rather observe and detect than come in with a sledgehammer," he said.
Zero trust does create barriers between users and the data they need, but organizations can offset these barriers with less invasive authentication methods wherever possible.
Only six percent of enterprise organizations have fully implemented zero trust, according to a July 2022 Forrester Research study. Despite this, a June 2022 ESG study cited that 90% of surveyed IT security professionals see zero trust as one of their top three priorities from a security perspective.
The path to full zero trust adoption is long and potentially challenging -- not to mention the task of maintaining this architecture over time and as threats evolve. But many organizations are beginning this journey with the guidance of their technology vendors.