Access Management Tools Protect Colleges from Unmanaged Devices
Unmanaged devices represent several risks to the institution. Unpatched software, malware and poor security configuration can put both user and university data at risk. Additionally, a compromised personal device may lead to lateral movement, where an attacker leverages a user’s access to install malware or gain further access to the institution’s resources.
There are technology and policy approaches that can help reduce the risk posed by unmanaged devices. Secure service edge is a security architecture that focuses on establishing secure enclaves of resources and includes supporting technologies such as zero-trust network architecture and cloud access security brokers. It may also include network-level controls such as software-defined perimeters, software-defined WAN and Firewall as a Service.
These technologies generally operate on principles that are laid out in the National Institute of Standards and Technology’s Special Publication 800-207, which says that access to enterprise assets is granted on a per-session basis, and that access to resources is determined by dynamic policy, including client identity, application/service and the requesting asset. It may also include other behavioral and environmental attributes.
In practice, this means that access is evaluated every time it’s requested. No assumptions are made about trustworthiness based on a device’s location or ownership.
Security Software and Processes Can Help Manage Risk
Zero-trust network access is a critical technology strategy for managing risk related to unmanaged devices. Breach is assumed in a zero-trust architecture, and access can be evaluated using a combination of user identity, device health, network location and risk tolerance.
Zero trust could be used to deny access to critical resources from unmanaged devices, to impose multifactor authentication if the user is accessing the resource from an unusual device or location, or to require the user’s device to be patched before access is allowed.
Cloud access security brokers operate as a form of application proxy, where access to a cloud resource is brokered through a security layer that can impose the same types of security checks as zero trust, but in the context of a vendor-hosted cloud application. For unmanaged devices, a lightweight client may be required to enforce the institution’s conditional access policies.