The concept of zero trust (ZT) has been circulating for a number of years, however recent advanced and persistent cyberattacks1 have brought the need for implementing zero trust architectures (ZTA) to the forefront. The May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity2 stipulates greater impetus for Departments and Agencies to prepare their ZTA plans.
Under ZT, access to an information resource (data, applications, and services) is allowed for a specified period of time with the least possible privileges. Authorization decisions are made through continuous evaluation of the user privileges and the device health as well as other contextual information. Resources and infrastructure are monitored actively to assess the current state of security for continuous diagnostics and mitigation.
The mobile security ecosystem has evolved rapidly to keep pace with the pervasiveness of mobile devices as an enterprise resource used to conduct official business. The mobile security ecosystem includes a collection of enterprise mobile security tools and technologies to protect devices, data, and mobile applications (apps). Continued security enhancements to mobile operating systems also contribute to mobile device security. Additionally, prominent mobile device manufacturers have integrated tamper-resistant hardware components that provide security-critical capabilities such as cryptographic key management. A few vendors are also preparing to respond to the greater security needs of the Federal community by offering continuous, behavior-based identity and access management to better align with ZT principles.
A mapping between principles from the Cybersecurity and Infrastructure Security Agency (CISA) ZT maturity model and mobile security tools and technologies highlights the following key takeaways:
- The underpinnings of ZT exist in the mobile security ecosystem. Mobile device operating systems generally include built-in security features for sandboxing, segmentation, and secure memory management.
- Mobile devices implement application and data segmentation features are consistent with key ZT principles.
- Enterprise Mobility Management (EMM) provides tools to configure and enforce device security policy. Combined with mobile threat defense, these tools can provide a good starting point towards an agency’s ZT goals for mobile devices.
- Mobile application development and app security vetting need greater scrutiny to ensure alignment with ZT principles for access to enterprise resources (e.g., to support continuous authentication).
- A tighter integration between EMM and mobile threat defense and enterprise logging, monitoring, diagnostics, and mitigation systems is needed towards meeting ZT requirements of the May 2021 Executive Order 14028.