For years companies have been allowing their employees to mix business and pleasure on their mobile devices, a move that has raised concerns among cybersecurity professionals. Now a network security organization says it has a way to secure personal mobile devices that could allow cyber warriors to sleep less comfortably.
Cloudflare on Monday announced its Zero Trust SIM, which is designed to secure every packet of data except mobile devices. Once installed on a device, the ZT SIM drives network traffic from the device to Cloudflare’s cloud, where its zero trust security policies can be applied to the data.
According to a company blog written by Cloudflare Director of Product Matt Silverlock and Innovation Head James Allworth, by combining software layer and network layer security through ZT SIM, organizations can benefit from:
- Preventing employees from visiting phishing and malware sites. DNS requests leaving the device can automatically and implicitly use the Cloudflare Gateway for DNS filtering.
- Reducing common SIM attacks. An eSIM-first approach could prevent SIM-swapping or cloning attacks, and could bring similar security to physical SIMs, by locking SIMs to individual employee devices.
- rapid deployment. eSIM can be installed by scanning the QR code with the mobile phone’s camera.
distrust of personal devices
“A lot of organizations don’t trust the tools they’re managing to access sensitive corporate data because of it,” said analyst Charlie Winkless, senior director at Gartner.
“Most of us are a little less careful with our personal devices than with our business tools,” he told TechNewsWorld. “There are also fewer controls on a personal device than a business device.”
“The Zero Trust SIM is a way to try to allow some of those individual devices to take control of the corporate network as they connect.”
With a distributed workforce, the classic hub-and-spoke model for security has become obsolete, explained Malik Ahmed Khan, an equity analyst at Morningstar in Chicago.
“So, you have employees across the country accessing company resources with a mobile device sitting in their home,” he told TechNewsWorld. “How do you secure their access? That’s a big question for firms to answer.”
The answer to that question for many organizations is installing software agents on their employees’ phones as part of a mobile device management (MDM) system, which can rank employees.
“It’s inherently difficult to protect anyone’s personal equipment because owners don’t want their equipment to be managed by someone else,” said Roger Grimes, a data-driven defense campaigner at KnowBe4, a security awareness training provider in Clearwater, Fla.
Khan said adoption will be a significant challenge for Cloudflare. “There are two degrees of believing that needs to happen,” he said. “First, Cloudflare needs to convince firms to take it and second, firms need to convince their employees to use eSIM.”
hardware limitations
Grimes said there are other roadblocks facing organizations dealing with BYOD. “Phone operating systems simply don’t come with the complexity that is needed to enable and implement the methods that are typically applied to regular computers,” he told TechNewsWorld.
“For example,” he continued, “it is very difficult to implement patching so that phones and all their apps are up to date. Many times a phone’s OS will only be patched if the phone’s network provider, such as Verizon or AT&T, Decides to push the patch.
“The user can’t just click on an update feature and get a new patch, unless the phone vendor has approved it and decided to allow it to be installed,” he said.
When considering an eSIM solution, it’s important to know what it does and doesn’t do, observed Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Cloudflare’s use of eSIM links the mobile device’s cellular data connection to Cloudflare’s network, where malicious domains or sites not approved by the organization’s policies cannot be blocked,” he told TechNewsworld.
“There are also capabilities for logging connections going over cellular data networks that companies typically are not able to monitor,” he said.
MDM complications
He continued, however, that there is no end-to-end encryption and that blocking and logging is limited to cellular data connections only. For example, Wi-Fi data connections are unaffected by eSIM offerings.
CloudFlare’s eSIM solution may be cheaper and simpler than deploying a full mobile device management solution and a whole network VPN that covers both Wi-Fi and cellular data connections, but it offers the same level of control and security of those solutions. does not do.” Told.
“The ability to reduce user account hijacking by preventing SIM swapping to intercept multifactor authentication codes is useful, but in reality, implementing MFA via SMS codes is no longer a best practice,” he said.
advertisement
Khan pointed out, however, that there are problems with the agent-based solutions that ZeroTrust SIM has to offer. “The problem with these deployments is that they require the user to deep dive into their device’s settings and enable them to accept a bunch of certificates and permissions for the agent,” he explained.
“While it is very easy to do this on a company-issued laptop or mobile device – since the agent will be pre-configured – it is quite difficult to do it on BYOD, as the employee cannot set things up properly leaving the endpoint still partially exposed,” he said.
“Imagine having an IT security team for a firm with thousands of employees and each of them trying to follow a series of steps on their individual devices,” he continued. “It can be a nightmare, logically speaking.”
“Furthermore,” he said, “there may be a problem with updating agents uniformly and constantly asking employees to stay on the latest operating system.”
mobile headache
In addition to the ZT SIM introduction, Cloudflare also announced its Zero Trust program for mobile operators, which is designed to give mobile carriers the opportunity to give their customers access to Cloudflare’s Zero Trust platform.
“When I talk to CISOs I hear over and over again that effectively securing mobile devices at scale is one of their biggest headaches,” Cloudflare co-founder and CEO Matthew Prince said in a statement. , it’s a flaw in everyone’s deployment of Zero Trust.
“With Cloudflare ZeroTrust SIM,” he said, “we will offer the one-stop solution to secure all device traffic, helping our customers plug this hole in their ZeroTrust security posture.”
However, how the market will react to this solution remains to be seen. “I haven’t heard Gartner customers asking for this,” Winkless said. “Maybe they’ve seen something I haven’t seen. So, we’re going to see if this is an answer to a question that no one needs to answer or a transformative way of providing security.”
