Mobile App Security in a Zero Trust EnvironmentPosted by Brian Reed
The traditional layered security model of defending the perimeter no longer protects the enterprise. Thanks to work from home, mobile employees, mobile in-store experiences and more, the perimeter as we know it has effectively dissolved. Even with trusted vendors and a secure network, the SolarWinds incident highlighted supply chain risk.
Zero Trust first emerged as a network security strategy, but today leading-edge organizations apply it to mobile apps and devices. In fact, Microsoft identifies six core components that must be addressed in a Zero Trust approach:
- Identities: Verify identity and implement strong authentication.
- Data: Use intelligence to classify and label data.
- Devices: Gain visibility into devices accessing the network.
- Infrastructure: Use telemetry to detect attacks and block risky behavior.
- Applications: Discover shadow IT and ensure appropriate in-app permissions.
- Network: Encrypt all internal communications, limit access and use real-time threat detection.
Zero Trust principles include verify explicitly, use least privileged access and assume breach.
In 2018, the National Institute of Standards and Technology published the NIST 800-207 guidance for Zero Trust Architecture. It defines Zero Trust as “protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”
On Feb 21, 2021, the National Security Agency urged all commercial enterprises and federal agencies to shift expeditiously to a Zero Trust model.
“Adopting the Zero Trust mindset and leveraging Zero Trust principles will enable systems administrators to control how users, processes, and devices engage with data. These principles can prevent the abuse of compromised user credentials, remote exploitation, or insider threats, and even mitigate effects of supply chain malicious activity.
NSA strongly recommends that a Zero Trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems. NSA notes that Zero Trust principles should be implemented in most aspects of a network and its operations ecosystems to become fully effective.”
We find many Zero Trust organizations worry about devices like smartphones, tablets and laptops, but ignoring the mobile applications on those devices that can put the enterprise at risk. While there are cases of mobile malware, typically vulnerabilities and sensitive data leakage can put organizations, employees and customers at far greater risk.
We find many Zero Trust organizations worry about devices like smartphones, tablets and laptops, but ignoring the mobile applications on those devices that can put the enterprise at risk.
Mobile App Risks Are Multiplying
Consider these security weaknesses stemming from popular mobile apps that employees may have on their devices:
- Mobile vulnerabilities like the native Apple native Email app that enabled attackers to access and manipulate emails and the device itself
- Mobile organization apps like the Slack bug that leaked passwords
- Mobile file sharing apps like SHAREit that leak data and remain unpatched
- Mobile call recording apps like Call Recorder that used unencrypted network communication
- Thousands of commercial mobile apps with SDKs that enable foreign actors to harvest sensitive data
- Mobile apps from manufacturers like Samsung that leak data
- Mobile transit apps used to profile and track employees and the military.
Best Practices for Mobile AppSec
To help organizations better track and respond to mobile app breaches and risks, NowSecure maintains a public breach tracker and offers the following five best practices for mobile app security in a Zero Trust model:
- Manage asset inventory. You can’t manage what you don’t know about, so leverage mobile device management (MDM)/Enterprise Mobility Management (EMM) tolls and watch network/firewall traffic to inventory the mobile apps used on devices on your network.
- Vet all mobile apps before they get on the network. Use NowSecure Platform data for initial review of mobile app security, privacy and compliance risks for apps from public Apple App Store™ and Google Play™ as well as assessing custom apps built internally or via service providers/partners. Integrate NowSecure into your MDM/EMM for automated operation including blacklist/whitelist.
- Continuously monitor mobile app portfolio risk. Commercial mobile apps can be updated daily and add new features that introduce vulnerabilities. Deploy NowSecure Platform to continuously monitor all mobile apps on your devices and network for alerts to changes and take action when new risks are introduced. With NowSecure integrated into your MDM/EMM, you can automatically get device/user/app blocking when new risks are detected.
- Establish appropriate mobile app security policies. Require users to use multi-factor authentication, advanced identity management, and use per app VPN, geofencing and other controls where necessary along with MDM/EMM for policy enforcement.
- Restrict access to only corporate devices on your network in high-risk scenarios. For these environments, forbid Bring-Your-Own-Device (BYOD) or Bring-Your-Own-Application (BYOA) policies. Use fully managed controls and only allow pre-vetted mobile apps on corporate devices configured for Zero Trust scenarios.
Expect Zero Trust to become a core strategy in most enterprise risk management frameworks over the next few years. In the meantime, organizations shouldn’t overlook the already present dangers in their mobile app portfolios. They can protect themselves efficiently and cost effectively by applying the five key best practices outlined above, including deploying NowSecure Platform for mobile app vetting. For valuable advice about launching or improving a mobile app security program, download the Mobile App Security Program Management Handbook.