For years companies have been allowing their workers to mix business and pleasure on their mobile devices, a move that’s increased anxiety among cybersecurity professionals. Now a network security outfit says it has a way to secure personal mobile devices that might allow cyber warriors to sleep less fitfully.
Cloudflare on Monday announced its Zero Trust SIM, which is designed to secure every packet of data leaving a mobile device. After it’s installed on a device, the ZT SIM sends network traffic from the device to Cloudflare’s cloud where its Zero Trust security policies can be applied to the data.
According to a company blog written by Cloudflare Director of Product Matt Silverlock and Innovation Head James Allworth, by combining software layer and network layer security through ZT SIM, organizations can benefit by:
- Preventing employees from visiting phishing and malware sites. DNS requests leaving the device can automatically and implicitly use Cloudflare Gateway for DNS filtering.
- Mitigating common SIM attacks. An eSIM-first approach can prevent SIM-swapping or cloning attacks, and by locking SIMs to individual employee devices, bring the same protections to physical SIMs.
- Deploying rapidly. The eSIM can be installed by scanning a QR code with a mobile phone’s camera.
Distrust of Personal Devices
“A lot of organizations don’t trust devices that they’re not managing to access sensitive corporate data for a lot of good reasons,” observed Gartner Senior Director Analyst Charlie Winckless.
“Most of us are a little less careful with our personal devices than we are with our business devices,” he told TechNewsWorld. “There are also fewer controls on a personal device than a business device.”
“Zero Trust SIM is an approach to try to allow some of those personal devices to have controls on the corporate network as they connect up,” he added.
With a distributed workforce, the classic hub and spoke model for security has been rendered obsolete, explained Malik Ahmed Khan, an equity analyst with Morningstar in Chicago.
“So, you have employees accessing company resources with a mobile device sitting across the country in their own house,” he told TechNewsWorld. “How do you secure their access? It’s a big question for firms to answer.”
The answer to that question for many organizations has been installing software agents on their employees’ phones as part of a mobile device management (MDM) system, which can rankle employees.
“Securing anyone’s personal device is just inherently harder because the owner may not want their device to be managed by someone else,” said Roger Grimes, a data-driven defense evangelist at KnowBe4, a security awareness training provider in Clearwater, Fla.
Khan maintained that adoption will be a key challenge for Cloudflare. “There are two degrees of convincing that need to happen,” he said. “First, Cloudflare needs to convince firms to take this up and second, firms need to convince their employees to use the eSIM.”
Grimes added that there are other snags confronting organizations dealing with BYOD. “Phone operating systems simply don’t come with the complexity that’s needed to enable and enforce methods that are very commonly enforced on regular computers,” he told TechNewsWorld.
“For example,” he continued, “it’s very difficult to enforce patching so that phones and all their apps are kept up to date. Many times the phone’s OS will only be patched when the phone network provider, such as Verizon or AT&T, decides to push the patches.”
“The user can’t just click on an update feature and get a new patch, unless the phone vendor has approved and decided to allow it to be installed,” he said.
When considering the eSIM solution, it’s important to know what it does and does not do, observed Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Utilizing Cloudflare’s eSIM connects mobile device’s cellular data connections to Cloudflare’s network, where blocking of malicious domains or sites not approved by the organization’s policies can occur,” he told TechNewsWorld.
“There are also capabilities for logging connections that go over the cellular data network that companies would normally not be able to monitor,” he added.
However, he continued, that there is no end-to-end encryption and the blocking and logging is limited to cellular data connections only. Wi-Fi data connections, for example, are unaffected by the eSIM offering.
“Cloudflare’s eSIM solution may be cheaper and simpler than deploying full mobile device management solutions and whole network VPN’s that cover both Wi-Fi and cellular data connections, but it doesn’t provide the same level of control and security those solutions offer,” he said.
“The ability to mitigate user account hijacking by preventing SIM swapping to intercept multifactor authentication codes is useful but, in reality, it’s no longer a best practice to implement MFA through SMS codes,” he added.
Khan pointed out, though, that agent-based solutions have problems that the Zero Trust SIM offering is meant to address. “The issue with these deployments is that they require the user to take a deep dive into their device’s settings and accept a bunch of certificates and enable permissions for the agent,” he explained.
“While it is much easier to get this done on a company-issued laptop or mobile device — since the agent would be preconfigured — it’s significantly harder to do so on a BYOD, as the employee may not set things up properly, leaving the endpoint still partly exposed,” he said.
“Imagine being an IT security team for a firm with thousands of employees and trying to get every one of them to follow a series of steps on their personal devices,” he continued. “It can be a nightmare, logistically speaking.”
“Also,” he added, “there could be an issue with updating the agent uniformly and constantly asking employees to be on the latest operating system.”
Mobile’s Big Headache
In addition to the ZT SIM introduction, Cloudflare also announced its Zero Trust for Mobile Operators program designed to give mobile carriers the opportunity to offer their subscribers access Cloudflare’s Zero Trust platform.
“When I speak to CISOs I hear, again and again, that effectively securing mobile devices at scale is one of their biggest headaches. It’s the flaw in everyone’s Zero Trust deployment,” Matthew Prince, co-founder and CEO of Cloudflare, said in a statement.
“With Cloudflare Zero Trust SIM,” he added, “we will offer the only complete solution to secure all of a device’s traffic, helping our customers plug this hole in their Zero Trust security posture.”
How the market will react to that solution, however, remains to be seen. “I haven’t heard clients of Gartner asking for this,” Winckless said. “Maybe they’ve seen something that I haven’t. So, we’re going to see if this is an answer to a question no one needs answering or a transformative way of delivering security.”