The breaking news of the Stagefright vulnerability that could allow hackers to silently and completely take over any of the 950,000 Android devices on the market has got to give us, as enterprise IT and security professionals, pause to ask again how much we can trust even our own company’s employees.
PC Magazine made the dire statement that “if your phone doesn't have access to the most recent updates, you'll be left vulnerable for who knows how long. There's nothing you can do.” While the majority of carriers and manufacturers are being diligent at pushing out updates to the vulnerabilities, we are still dependent - to an unsettling degree - on them to get these updates in to the hands of our users before damage can be done.
What we have are the tools, through firewall, Wi-Fi, and EMM, policies to turn off specific devices to access our networks and applications, but such blunt responses work only as temporary measures. As Bruce Schneier points out, most Android phone won’t be patched anytime soon so the idea that we can pause access, and then resume our trust of these devices is clearly flawed. More broadly, we must ask ourselves if there is ever a time when we have sufficient criteria to determine if a user’s device can be trusted, or if we must adopt a new posture of zero-trust.
If indeed we must now treat all devices, all users - including our own employees - as untrusted, it’s hard to imagine that traditional models of access like VPNs, that allow users to punch through our network perimeters into the trusted zone, are not now doomed. It also calls into question new security models like Google's own BeyondCorp, or the CSA's software defined perimeter (SDP), where they look to extend the network perimeter to surround supposedly trusted users and their devices.
With a zero-trust approach to user devices, all users are essentially strangers on the Internet. Clearly giving internal network access to that class of user is a huge security risk and so it makes no sense to extend the network perimeter around any user through VPN, SDP, or even Wi-Fi.
Practically, however, employee, customer, and other third-party access to applications and data is an essential component to the modern enterprise. Rather than bringing users inside the network to access these applications and data, we can think of a new model, a new solution to selectively bring them out to meet users on the Internet. This idea of creating more separation between users and internal applications and data, and delivering access to applications across this “airgap” between the internet and a company’s internal infrastructure, is a fundamentally new approach to secure access that addresses the necessity of zero-trust.