Written by Chris Scheels on May 07, 2020
SDP and Risky Devices: Dynamic Controls for Secure Access
We recently explored the challenges enterprises face in determining the threat risky users pose, and what to do with that information if Identity Management (IM) solutions are siloed from your security tools.
User accounts are only half the battle when it comes to identifying and managing identity risk as both users and devices can pose a threat to your organization. You may have legitimate users on risky devices or have a bad actor gaining access to a user’s device. Due to COVID-19 and expanded telework, the battle lines have shifted rapidly to remote users relying more heavily on BYOD smartphones, laptops, and other potentially risky or compromised personal and even corporate-issued devices to access the network.
Risky Devices and...an identity-centric approach
It is safe to say that when the economy re-opens, the impact of the coronavirus pandemic will leave a lasting imprint on remote workforce structures, which means that organizations will have to remain nimble in adapting their cybersecurity posture to a fluid attack surface. This new normal requires an identity-centric approach to secure access, for which devices play a critical role.
Enterprises struggling to make access and entitlement decisions by querying the acronym salad of Identity Management (IM) tools (UEBA, IGA, PAM, IAM) and endpoint tools (EDR, NAC, CMDB, ATP) lack the connective tissue to bring it together under a single view of identity risk. Identity = user + device; a user can’t access network resources and data without a device. Enterprises must not only trust the person making the access request, but also their device.
AppGate SDP, the industry’s most comprehensiveSoftware-Defined Perimeter solution, is 100% identity-centric and enforces the principles of Zero Trust. It seamlessly integrates with your existing IM and endpoint tools and ties users and devices together through several unique capabilities:
AppGate SDP enables off-the-shelf device posture checking
For devices without enterprise endpoint protection, a deep posture check is critical to limiting risky devices. Built into AppGate SDP architecture is the ability to conduct a posture check on devices, before allowing access, by setting up a set of conditional rules to apply entitlements based-on device data.
For example, until you can deploy enterprise device protection for a worker at home using a BYOD laptop with a disabled firewall or an unsupported version of Windows, you can set up a condition that limits access to network databases and other privileged resources.
AppGate SDP doesn’t replace endpoint detection tools, it enhances them
Endpoint protection tools hold value when it comes to monitoring for, detecting and blocking malicious attacks. By leveraging the data from these tools, via APIs, you’re able to enhance the secure access capabilities of AppGate SDP. Organizations reduce risk by dynamically detecting if a device is risky before connecting to the network and inflicting more damage.
Conversely, but equally important, is if a device becomes risky after the initial access request. AppGate SDP monitors the ongoing device risk in near real-time and removes entitlements if device risk goes up after the initial access is granted. If you are using one or more endpoint detection tools, continue to do so—AppGate SDP doesn’t replace them, it augments their capabilities to enhance secure access and ultimately security posture.
AppGate SDP Reduces lateral movement
In today’s increasingly distributed and remote work environment, cyber threats are just as likely to come from inside an organization as they are from the outside. The open ports of VPNs introduce a broad attack surface into flat networks. Once an attacker is in, they could start wreaking havoc laterally across the enterprise. With AppGate SDP micro-segmentation capabilities, the identity (user + device) can be matched with their entitlements so that access is granted only to permitted resources. Everything else is invisible.
Let’s dig into what this reduced lateral movement looks like in action: Imagine you have 1,000 apps/workloads/other resources on a subnet. A VPN might allow access that exposes all of them to attack. With AppGate SDP micro-segmentation, you might grant entitlements to 100 of these resources so a user can only access what they need to (regardless of being onsite or remote)—reducing the attack surface 90% right off the bat. Now let’s take it a step further and say that out of those 100 granted entitlements, half of them are critical, privileged, or sensitive. The enterprise can create policies that continue to remove those entitlements capable of causing the most damage as device risk goes up (i.e. – a remote worker using a BYOD laptop), and if necessary take away all access.
AppGate SDP Eliminates ‘hammer and nail’ approach
Traditional, siloed endpoint protection solutions risk impacting workforce productivity by forcing admins to take risky devices offline while conducting further investigation. During this time, “risky” devices may be fully disabled and the user unable to do any meaningful work, which is particularly damaging if the investigation turns out to produce a false positive.
Organizations can better protect network security while maintaining productivity through an alternative to the “hammer and nail” approach, instead of focusing on surgical remediation of any risky device issue. This provides more control to the organization based on their risk tolerance. If a device is deemed risky the entitlements can dynamically adjust to reduce exposure to critical resources. The user can still operate during the investigation, with limited access, but it reduces risk as defined by the organization.
“The enemy of my enemy is my friend”
The cybersecurity tools you deploy across the enterprise should be the enemy of your enemy (adversaries), but too often these siloed tools spend as much time working against each other as they do against external and internal threats. AppGate SDP is the glue that binds these tools together to better fight your common enemy. The ability of AppGate SDP to push/pull third party data via APIs with your other security tools can provide more rapid, automated, and accurate entitlement decisions, in-turn improving your security posture while enabling business continuity.
Ready to Learn More?