The Mobile Device is the Policy Enforcement Point Revisited

A little over two years back, way before the COVID-19 pandemic hit and the work-from-home paradigm shift took hold, we wrote a blog about how the mobile-centric zero trust framework removed the traditional perimeter security controls to protect the corporate enterprise network and connected nodes from cybercriminals. Legacy security appliances — specifically network firewalls with malware scanning gateways, intrusion detection and prevention systems (IDS and IPS), and VPN concentrators — were the policy enforcement points (PEPs) that provided ingress and egress security controls of network traffic in an effort to keep the bad guys outside and let the good guys inside the virtual perimeter walls.

The zero trust security framework states that those traditional controls are no longer effective at keeping cybercriminals, including teenage hackers, out. The roaming mobile device, including the remote laptop or desktop located at your home, is already connected to the insecure internet, where a corporate firewall or even your home router will not keep these sophisticated and determined nation-state funded cybercriminals from breaching your defenses.

MobileIron considers the mobile device, and the remote laptop or desktop at your home, to be the new PEP while already connected to the internet. Before the device connects to corporate resources that are on-premises, at the data center, or in the cloud, a unified endpoint management (UEM) solution checks for device health like root or jailbreak state. UEM also checks for device posture compliance for hardware, OS version, and security update states before provisioning work apps and content, email settings, and WiFi and VPN client profiles onto the device, laptop, or desktop.On top of that, MobileIron Threat Defense (MTD) helps to detect and block the more than 5,000 malicious phishing website links that are spun up and then taken down on a daily basis. Since our machine learning (ML) threat detection engine resides on the device and is further assisted by a cloud-based engine, providing multiple layers of threat detection and remediation, UEM and MTD have a much better chance of mitigating any mobile threats at the start of the exploit. All device settings and app policies can be provisioned before the user and device are conditionally granted access to the corporate network. Then the device is continuously checked for compliance while the user and device are already on the corporate network.

Without MobileIron UEM, MTD, and Zero Sign-On (ZSO), the infected device might otherwise be allowed to connect to the corporate network-based policy enforcement point like a firewall, secure web gateway (SWG), cloud access security broker (CASB), or VPN concentrator with an inline malware gateway, before any detection and mitigation takes place.

The sad reality is the cybercriminal has to be right only once to successfully penetrate your security defenses, while the company’s security architect and CISO have to be right 100% of the time! Even if a successful phishing attack circumvents safe browsing and DNS filters, including MTD’s anti-phishing protections, MTD can still detect any host-based artifacts by continually scanning for the existence of malicious apps, code, and scripts living on the device before they elevate into a device-level privilege escalation, or network lateral movement onto other connected nodes as the exploit evolves up the cyber kill chain to become an advanced persistent threat including a ransomware attack.

'The cybercriminal only has to be right one time, while the CISO has to be right 100% of the time!'

MobileIron ZSO along with FIDO2 passwordless deployments make up a strong multi-factor authentication (MFA) policy to access network and work resources, and also help to fight against phishing exploits, including QRLjacking and pharming, along with Man-in-The-Middle (MiTM) and push notification attacks.

For employee-owned and BYOD deployments, a separate work partition for Android Enterprise work profile or Apple User Enrollment modes can be remotely provisioned onto the device. The separate partition is treated almost as a separate device, keeping personal and work content isolated and ensuring user security and privacy. This means all the necessary work apps and content, along with WiFi and VPN credentials and connection profiles for the user to securely connect to their work resources from home in this new Everywhere Enterprise world we live in today. MTD and ZSO can also be automatically provisioned for the user to further protect their mobile devices.

MobileIron Tunnel provides a per-app VPN solution that supports the Zero Trust Network Access (ZTNA) micro-segmentation requirement. Tunnel allows only the app and its content to traverse the encrypted connection over the internet to a MobileIron Sentry intelligent gateway to access on-premises or data center work resources, or to the MobileIron Access gateway for cloud-based resources. The respective gateway checks with the UEM system and provides conditional access to ensure only the trusted user, their device, source IP address, and sanctioned app are allowed to access corporate data. These conditional access rules can be applied for not only the traditional client to server (north to south) network traffic, but also within the on-premises or data center (east to west) network traffic that includes continuous adaptive authentication and authorization controls.

For unmanaged devices in a contractor and frontline worker deployments, similar app and content configurations, WiFi and VPN connection profiles, and conditional access rules can all be provisioned. Additionally, ZSO with remote browser isolation (RBI) and MTD can also be configured and enforced to ensure user and device compliance adheres to company security policies while they are accessing corporate work resources.

If the employee is terminated, the mobile device, remote laptop or desktop can be remotely retired. Work provisioned configurations and policies are selectively removed for BYOD deployments, or completely wiped — factory resetting the device and removing all configurations and settings — for company-owned devices.

Lastly, MobileIron UEM also integrates with third-party network partners like Pulse Secure, Cisco, Palo Alto Networks, Illumio, Akamai, Zscaler, and McAfee to provide even more identity and conditional access controls, including network access control (NAC), ZTNA consisting of software-defined WAN (SD-WAN) and software-defined perimeter (SDP) infrastructures, and Secure Access Service Edge (SASE) architecture.

To learn more, contact a MobileIron sales representative.

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.