Cybersecurity Mythbusters: Is MDM Enough?
Transcription
Patrick
Hello and welcome to "Cybersecurity Mythbusters." I'm Patrick McBride, the CMO at Beyond Identity. And I'm joined by our resident cybersecurity expert and our Beyond Identity CTO, Dr. Jasson Casey.
Jasson
So we're really excited for today's myth. Let's just go do it. We got an email from Jordan and it reads, "Dear 'Cybersecurity Mythbusters', I keep hearing more and more about device trust. My boss keeps saying we need better device trust, but I assure him we're okay with the current device management. We already have device trust, right?"
Patrick
Ooh, I've been really waiting for this one. Device trust and the concepts around it have really been gaining some steam with our prospects and customers, and we're seeing it more and more.
Jasson
I understand the confusion. It's a complex issue. And because, of course, the popularity of BYOD, or bring your own device, things have only gotten worse.
Patrick
I know. Let me bring some of the big guns in. I know exactly who we can use to discuss it. We got Dr. Chase Cunningham, otherwise known as Dr. Zero Trust. I think he's the perfect person for this one.
Jasson
While we're waiting on him, this issue is a bit nuanced. It's not just about whether a device is managed. Because a managed device can be misconfigured. It's not just about MDM. These systems get quite complex. Basic device information such as geolocation, serial numbers, device types, IP information. This is all insufficient, as they only provide little vignettes of what's actually going on.
In addition, these are static points in time. And as a device changes, as its state changes, as a user interacts with that device in various ways, the control surface could change. And you really want to understand that in a continuous way.
Patrick
Well, let's bring in Dr. Zero Trust. Welcome, Chase.
Chase
Hey guys, thank you so much for having me. It's great to be here.
Jasson
Chase, what can you tell us about device trust and the best practices for a modern enterprise?
Chase
Yeah, well, I think device trust, in the context of zero trust is really critical. I mean, if you look at the DOD's rollout and maturity models and all those other things, it is specifically noted in there, and if you really wrap your head around where business is today, I've gotta be able to take care of the device, as well as the user, and I have to live in a world where it's BYOD and remote and all those other things.
I have to accept that that's how this functions. I mean, I'm at home right now, remoting in, doing things on the browser. I should have some controls applied to me. If you're not doing those things and you're not living in a world where that is the reality of the way you operate, the only one that benefits is the adversary. By ignoring the value proposition and the value that a device has in the context of compromise and hacks and those other things, you're basically turning a blind eye to a very valid avenue that the bad guys are gonna use for exploits. So you need to know these things. This is not meant to be explicitly difficult and the technology and the space has evolved where you can employ controls via policy at scale and not make people miserable with their cybersecurity.
Patrick
So Chase, what steps can an enterprise take?
Chase
Cybersecurity, zero trust requires, it's not a nice to have, it requires that you do this stuff continually and you can't do a one and done. In other words, you shouldn't have a methodology or practice or policy in place that says, "This came in, I checked it, they're good. And now I'm just gonna let things ride until whenever that system or access goes away." Really, the way that this works best, and I mean, this is why we have visibility and analytics and these things within the framework because you need to know what's going on all the time and you should at any time be able to interdict and respond to a problem when it shows up.
On top of that, this is how you get good understanding of what normal looks like. And if things change or weird stuff occurs, that's something that you want to be able to respond to. You won't see weird things occurring if you're not continually looking at what's going on with these transactions. So you must, and this is again, not a nice to have, to do ZT, you must be able to do this stuff continuously. It's a marathon. This is not a sprint.
Jasson
So Chase, it sounds like Jordan has taken some good first steps. But there's still a few more things for them to do to achieve optimal device trust.
Chase
Yeah, I think that's a fair assessment. I mean, really the goal here is to get towards an optimal state. Even mega, giant government organizations with billions of dollars aligned to this overall strategy. Their goal is to get to optimality. Perfection does not exist. Really what you're trying to get to is where you have an optimal experience, you have controls applied where they need to be applied. You're not making people miserable, and you can actually enable the business to operate securely. So I think he's on his way there. As in the Navy, we would say, "He is on the glide slope." But there's always work to be done.
Patrick
Excellent. Hey, thanks, Chase. I knew we could count on you for this one.
Chase
I really appreciate you guys letting me be involved and keep up with what you're doing. Good stuff.
Jasson
Well, there you have it, Jordan. And thank you to everyone for tuning in.
Patrick
If you have any rumors, questions or myths you want us to test, be sure to let us know. We'll see you next...
.png)
