The traditional layered security model of defending the perimeter no longer protects the enterprise. Thanks to work from home, mobile employees, mobile in-store experiences and more, the perimeter as we know it has effectively dissolved. Even with trusted vendors and a secure network, the SolarWinds incident highlighted supply chain risk.
Zero Trust first emerged as a network security strategy, but today leading-edge organizations apply it to mobile apps and devices. In fact, Microsoft identifies six core components that must be addressed in a Zero Trust approach:
Zero Trust principles include verify explicitly, use least privileged access and assume breach.
In 2018, the National Institute of Standards and Technology published the NIST 800-207 guidance for Zero Trust Architecture. It defines Zero Trust as “protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
On Feb 21, 2021, the National Security Agency urged all commercial enterprises and federal agencies to shift expeditiously to a Zero Trust model.
“Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data. These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.
NSA strongly recommends that a Zero Trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems. NSA notes that Zero Trust principles should be implemented in most aspects of a network and its operations ecosystems to become fully effective.”
We find many Zero Trust organizations worry about devices like smartphones, tablets and laptops, but ignoring the mobile applications on those devices that can put the enterprise at risk. While there are cases of mobile malware, typically vulnerabilities and sensitive data leakage can put organizations, employees and customers at far greater risk.
We find many Zero Trust organizations worry about devices like smartphones, tablets and laptops, but ignoring the mobile applications on those devices that can put the enterprise at risk.
Consider these security weaknesses stemming from popular mobile apps that employees may have on their devices:
To help organizations better track and respond to mobile app breaches and risks, NowSecure maintains a public breach tracker and offers the following five best practices for mobile app security in a Zero Trust model:
Expect Zero Trust to become a core strategy in most enterprise risk management frameworks over the next few years. In the meantime, organizations shouldn’t overlook the already present dangers in their mobile app portfolios. They can protect themselves efficiently and cost effectively by applying the five key best practices outlined above, including deploying NowSecure Platform for mobile app vetting. For valuable advice about launching or improving a mobile app security program, download the Mobile App Security Program Management Handbook.