What does zero trust mean for mobile devices in the enterprise?

Mobile threats are on the rise, and traditional defenses aren't enough. Zero trust is one approach that helps keep corporate resources secure as mobile devices interact with them.

Mobile device threats have become one of the fastest-growing issues facing enterprise security teams.

The surge is driven by the usual suspects, including an explosion of BYOD and hybrid work policies. Because of this, traditional perimeter defenses around corporate networks are no longer enough.

IT leaders must confront a vital question: How should organizations ensure that mobile devices continuously prove that they're secure and trustworthy before they can access corporate resources? The answer is to apply zero-trust principles to enterprise mobility.

To protect against modern threats, learn how to map zero-trust principles to mobile devices, networks and apps, as well as what that means for implementation.

What "zero trust" means in practice

In general, zero trust is a relatively simple concept to understand. No device, user or application should be trusted and allowed to communicate with corporate assets by default. Instead, the core assumption of zero trust is that a breach already exists or could happen at any time. This assumption acts as a catalyst to apply the following protections:

  • Every access request must be explicitly verified.
  • Users and devices receive the absolute minimum level of access required.
  • All access is continuously monitored and validated.

If any of those checks fail, access is simply denied or severely limited until the device, user or application can prove it meets the necessary security requirements.

This zero-trust architecture contrasts with traditional security, which inherently trusts anything inside the corporate network and only blocks what is outside the enterprise network boundary. This model no longer works because threats are now just as likely to reside inside the network as they are to come from outside.

Why zero trust is critical for enterprise mobile devices

Mobile devices introduce new risks that traditional security models were never built to handle. For example, a lost or stolen phone can give attackers access to corporate email, files and other apps. Employees also routinely connect to public Wi-Fi, open links in text messages or download risky apps -- even if they've completed security training. With BYOD programs now widespread and difficult to reverse, corporate data routinely resides on personal devices, creating tremendous risk.

Traditional mobile management approaches also fall short in protecting enterprise apps and data. Basic MDM tools and VPNs were designed to control the device or tunnel traffic back to the corporate network. However, these tools assume the device itself is safe once it connects. That assumption breaks down quickly on mobile devices -- especially BYOD endpoints. Because a single compromised device can bypass those controls entirely and directly reach sensitive corporate systems, the attack vector has expanded further.

Zero trust addresses this gap by treating every mobile device as untrusted by default. The model requires the device to continuously prove its identity, its security posture and the legitimacy of each access request before it can obtain any corporate resource.

Mobile devices must now be part of the ongoing identity, access and device-posture control model rather than automatically trusted endpoints.

How zero trust applies to mobile devices, networks and apps

Zero-trust principles become especially powerful when applied directly to mobile devices in enterprise environments. Instead of trusting a mobile device simply because it has an MDM agent or connects through a VPN, zero trust requires ongoing verification of the device, network and apps themselves.

Devices

Every mobile device that requests access to corporate resources must continuously prove its health and security posture. Device security checks verify that the OS is up to date, the device has not been jailbroken or rooted, and no risky apps are running in the background. Device attestation and real-time posture checks replace the old assumption that a managed phone is automatically safe.

Applications

Zero trust also goes beyond device-level controls, applying access controls at the application level. Permissions are granted on a just-in-time basis and can be revoked immediately when they're no longer needed. This limits the potential damage if a malicious app or a compromised legitimate app tries to reach corporate resources. It can no longer infect, steal from or probe other connected apps or data.

Networks

Traditional network-based VPNs grant broad access once a device connects. Zero trust replaces this with zero-trust network access (ZTNA) and microsegmentation. The device only gains access to specific apps and data, not the entire corporate network. Network isolation ensures that even if a device is compromised, it can't move laterally to other systems.

Together, these three interconnecting layers form the foundation of a zero-trust mobile management strategy. Every device is treated as untrusted until it proves otherwise, and every access decision is based on identity, context and current security posture.

Implementation strategies and best practices for IT teams

The good news is that putting zero-trust principles into practice for mobile devices doesn't require a complete rip-and-replace of an organization's existing systems. Most enterprise organizations can build on their current identity, MDM and endpoint tools by using integrable add-ons and making minor policy changes.

One example is how, when combined with strict conditional access policies, identity and access management systems let IT enforce precise rules. For instance, an admin can specify that the system should only allow access if the user has completed multifactor authentication and the device is fully patched and has up-to-date antivirus. Modern MDM, UEM or EMM platforms can serve as the enforcement layer by checking device health and blocking access if anything falls out of compliance.

IT teams should consider the following implementation steps:

  • Begin with a small pilot group rather than trying to roll out everything company-wide.
  • Enable continuous device health checks and attestation so every device must prove that it's secure before it connects.
  • Replace legacy VPN access with ZTNA and microsegmentation so users and devices can only access the specific apps and data they need.
  • Automatically enforce mobile compliance rules, such as blocking access if the OS is out of date or encryption is turned off.

Key questions IT decision-makers should ask before getting started

Before launching a zero-trust initiative for mobile devices, IT leaders should answer a few practical questions:

  • What does the current mobile environment actually look like? To answer this question, be sure to collect information on the current mix of corporate and employee-owned devices, OS types, application ranges, etc.
  • Which identity providers and conditional access tools already exist, and how mature are they?
  • How clear is the organization's visibility into device health and security posture today?
  • What compliance or regulatory requirements might be driving this effort?
  • What is the realistic budget, timeline and level of change management support the organization can expect?

Considering these questions helps align the effort with the organization's current environment and avoid common pitfalls.

Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.

Next Steps

BYOD security risks and how to prevent them

How can an enterprise mobile VPN fit into a mobility plan?

How ZTNA protects against internal network threats

Dig Deeper on Mobile infrastructure