Establishing trust with Zero Trust
Note: This is part two of a five-part series on the origins and tenets of Zero Trust.
Let’s look at 'bring your own device' (BYOD) as an example of a Zero Trust success story. The use of non-corporate devices to access email and other resources was resisted for many years. An employee’s personal device was rogue IT ― it couldn’t be monitored, protected, or managed by traditional perimeter security. As a result, it could not be used in the corporate setting. Mobile employees had to rely on network devices and VPN connections if they needed access from a remote location. This did not prevent the use of personal devices in corporate networks because many employees found ways to get around these limitations by copying data to their laptops, emailing files to themselves, or using apps like Dropbox to store data outside the network.
IT teams developed secure BYOD environments with a new approach. Mobile device management (MDM) solutions enforced security policies on personal devices and allowed IT teams to remotely revoke access and remove data from a device as needed. The growing use of web access and software-as-a-service (SaaS) applications allowed authorized users to access applications directly with no need to connect to the network. Mobile devices were getting smarter, and many mobile employees found that tablets and smartphones were suitable replacements for laptops. The formal acceptance of personal devices in the workplace was growing. Security vendors were creating mobile apps to make VPN deployment easier, and companies like Microsoft and Salesforce were making public-facing web applications more secure.
Benefits of BYOD
Business managers also found benefits in BYOD. Employees preferred using their own devices, and they were often more productive when using a device that they owned. In many cases, employees refreshed their own devices more frequently than the company, which put better technology into the hands of the workforce. Companies were also noticing a bottom-line impact. One study from the early years of BYOD found that companies with as few as 500 employees could save $1.5 million per year in IT costs by embracing the use of personal devices.
The benefits of BYOD were made possible by moving away from these assumptions:
- Accessing resources from the office is more secure than remote access
- An authenticated VPN connection is always secure
- Employee-owned devices are not as secure as corporate devices
How BYOD can help explain Zero Trust
BYOD is not strictly a Zero Trust story. It’s also a story of smartphones, app stores, Wi-Fi, SaaS, and many other technologies. But using BYOD as an example makes the Zero Trust paradigm shift easier for a non-technical stakeholder to understand. Not all companies allow BYOD, but most people understand what it is. This is especially true since the pandemic lockdowns forced millions of office employees to work from home. A large portion of the workforce used their own devices as they waited for the company to ship corporate assets.
In our next post in the series, we’ll review the core principles of Zero Trust. You can read all posts in the series here.