Jamf Blog
September 29, 2020 by Jonathan Locast

Achieving zero-trust while crafting a great end-user experience on the Mac with Jamf, Okta and Venafi

Zero Trust, at its core, is not a new concept. The concept summarized in another way — "Never trust, always verify."

Speakers: Kelsey Nelson, Senior Product Mktg Manager, Okta; Paul Cleary Ecosystem Architect, Venafi; Kaylee Carlson, Senior Product Marketing Manager, Jamf

Over the last seven years, organizations have become more modern – even more so during this recent pandemic. Organizations have been forced to reconsider their practices, policies and infrastructure, and security is one aspect that is topping the list. Workers were already increasingly mobile, but now working from home is a reality for many, if not most. In fact, in a 2019 study from TalentMS, only 66% of all employers allowed remote workers, while 16% of employees were remote full-time. The percentage of team members now working from a distance full time has skyrocketed, and is projected to continue its growth on the back of modernized improvements to working environments and practices.

Alongside the workforce, technology is now advancing by the day to help lead companies to success. But this presents new challenges for IT teams and organizations around the world that boil down to providing the same, or better, working experience that employees want or expect without the team being centrally located in an office during the normal, working time constraints of 9-5, while protecting their customer and company data.

The ‘old way’ of security

When it comes to security, many organization’s model followed what was known as the “castle-and-moat” model. This refers a trusted internal network, the “castle”, protected by a perimeter, the “moat”. Anything outside that perimeter is considered untrusted.

While this was effective for a long time, attacks continue to become more sophisticated and intricate or people within the perimeter that are considered “trusted”, simply slip up creating a vulnerability within the system. With the “castle-and-moat” model, this would render your entire defense useless, giving an attacker unwarranted access to everything within your castle walls. It’s this vulnerability and these potential consequences that have led to security leaders seeking out a better method – enter Zero Trust.

What is Zero Trust?

“Never trust, always verify”. It may sound like a harsh methodology to go through life, but when it comes to the security of data, it’s truly leading the way. Essentially, it means you can no longer consider anyone or anything to be “trusted” until they have gone through the process of verifying themselves – hence the name zero trust.

Zero trust is not a new process, it’s been around for quite some time, but modified over the years. At its core, zero trust comes with 3 guiding principles:

  1. All resources must be accessed in a secure way, from a secure machine, regardless of location
  2. Access control is on a “need to know” basis
  3. Organizations must inspect and log all traffic to verify users doing the right things

While all three principles are important to achieving zero trust, number 2 is truly the core concept. What is a “need to know” basis? Well, that’s where your security on the backend comes into play. Through a person’s cloud identity, you can understand and answer specific “questions” about the user — device type, managed or unmanaged device, secure or unsecured network, etc. — and these answers determine what level of authentication policies you get. By having this in place you are ensuring that a person accesses resources in a secure way, number 1, while also making sure their access is confined to the exact resources they “need”, thus maintaining security over the rest of the system.

The third principle comes into play in two ways. First, by inspecting the logs you can verify that your users are in fact accessing and using resources in their intended fashion. Obviously, a critical facet of security. The second aspect revolves around the fact that true zero trust security, and security in general, is an ever-improving, changing thing. By inspecting the logs and monitoring activity and usage, it allows you to modify your “questions”, alter who has access, and fine-tune your ecosystem.

By using this method, you have actually shifted the focus of your security away from something large and all-encompassing, and confined it to focus on the individual user. This solves the issue of the insecure “castle”, but doesn’t this pass the burden onto the user? Demanding they sign-in to multiple platforms, maintain usernames and passwords, using disparate apps – seems like security is passing the buck and putting on the onus on users, while sullying their work experience. It’s a common objection. But thanks to advances in security technology it’s not as large of a hurdle as some believe.

Delivering Improved Security with Identity

The key to removing that burden and unlocking zero trusts potential is Identity-driven security. This allows you to:

  • Unify identity across apps and devices with SSO
  • Secure the login process by enforcing risk-based authentication
  • Need to know provisioning and deprovisioning
  • Enable visibility and analytics

It’s through these four aspects, especially the first two, that users unburden themselves from multiple usernames and passwords to enhance and streamline that user experience.

User-identity along with SSO allows that experience to flow across devices and platforms a user needs.

Contextual access includes applications, user groups, networks, device, location and allows us to identify if this is a normal user while creating the ability to fine-tune over time as your security becomes more comprehensive.

Automated provisioning and de-provisioning allows you options when someone comes on board or if they ever leave to ensure that process is automated and your security remains in place.

This takes a lot of different technologies that make up zero-trust and distills it to the single goal of making sure the right people, have the right access, to the right resources, and that security can fine-tune it along the way.

This is not a light switch. It doesn’t happen overnight, and it’s fulfilled through a process.

Extending Trust Beyond the User

Does this device have a valid machine identity? It’s an important question to ask when it comes to extending your trust beyond the user. Identity, as talked about above is critical, but you need to take into account the device — the machine.

Companies are just starting to consider the machine aspect, which has left a real security flaw, simply because hackers or threats are also coming after machines. It’s not just about the person when it comes to running a tight ship. In true zero-trust, similar to a person’s identity, your machines also need to be at the center of your plan when considering the full scope of “identity”.

Thankfully, Venafi’s Trust Protection Platform integration turns management of TLS-based trust certificates and machine identities into a streamlined, simple process through their new integration with Jamf Pro. With this integration, a multitude of certificates, from any number of certificate authorities, can be automatically issued or revoked for thousands of devices. Configuration profiles and flexible scoping allow stored certificate configurations to be applied to specific groups of alike devices. At the same, Venafi’s platform allows for special custom policies to be managed as well, enabling flexibility for unique certificate use cases. This allows either corporate-owned or BYOD devices to all share the same secure baseline level of trust before they’re granted access to critical WiFi, VPN, or other organizational resources. The Venafi integration brings high speed, high scale identity security to your machines and devices, completing the full circle of your Zero Trust efforts.

In a mobile world, what was once achieved by the “corporate network” now has to be capable of being constantly on the move. For some, on-premise Microsoft Active Directory is all they have known. Active Directory (AD) offers identity and authentication, protecting against those outside the directory, but it’s restrictive and not adequate anymore because users have to be on the domain and inside the walls of an office, which no longer works because today’s users and devices interact entirely outside of those walls.

Removing the false sense of security behind a firewall or corporate perimeter allows IT and security teams to evaluate the security of their access controls, devices and resources more frequently. Knocking down the barrier of trust solely based upon being on a corporate network and adapting to modern technologies creates a stronger shield of protection around users and devices, while also enhancing workforce productivity. Examining the risk of access, devices and data opens up the confidence to empower remote employees with the tools they need to be productive. Frictionless, secure access in a streamlined intuitive fashion for users. Just how Apple intended.

Browse Blog
by Category:
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.