I Am The One Who Knocks — Device Posture and Detecting the Danger In Your Devices

With growing mobile and remote workforces, enterprises must allow many different device types to access their applications in the name of productivity and flexibility. Traditional, perimeter-based security methods are no longer viable due to complexity, maintenance overhead, and inherently insecure model. Instead, businesses should shift their focus to verifying who and what is accessing a network and eliminating the perimeter.

The classic story of the Trojan horse comes to mind — not everything is as it seems. Little did the city of Troy know that the Greeks, masquerading as loyal soldiers, would bring about the downfall of the city once inside its walls. We use many devices in our modern lives, and all can serve as vehicles to carry unknown dangers right through the front door of our protected enterprise environments. How can we safeguard our enterprise applications given the rise of bring your own device (BYOD) and efforts to provide secure access anytime, anywhere?

In today’s dynamic business environment, it is best practice to utilize zero trust security. It’s imperative that organizations concentrate on verifying not only user identity, but the devices being used for access. The verifications themselves should also be dynamic in nature and require thinking more along the lines of an adaptive security architecture. Verify risk in the beginning, but keep verifying so that we can have an ongoing picture of changing security posture.

Akamai’s Enterprise Application Access can enable enterprises to do just that with its device posture features. These capabilities are designed to give enterprises insights into the devices that are accessing their protected applications and enable more informed decisions about security. Device details are essential data points when evaluating any application access and should be considered part of best practices for completing your enterprise’s view of security.

Generally, user identity is understood, but we often know very little about the device being used by the individual. Enterprise applications may be accessed by various means, such as desktop and laptop computers, as well as mobile devices. These may be corporate devices or BYOD, which changes the device’s risk profile. Devices might be managed or unmanaged depending on the enterprise’s device presence — this requires different risk consideration. Even though the user identity has been verified, enterprises may still be vulnerable based on a device’s characteristics. Enterprise Application Access device posture can help reduce that risk by having a presence on the device.

What are some questions administrators should consider asking about the devices they allow to access applications?

  • Is the OS patched against the latest security vulnerabilities?
  • Are automatic updates enabled so the device is always up to date?
  • Is the device running anti-malware to protect against malicious programs?
  • Does the device have a firewall enabled?

With Enterprise Application Access device posture, we can enable your access policies to answer these questions at the point of access. You can allow the devices you consider safe and remove the burden of constant monitoring.

knock one.png

Since all applications are different, you may want distinct levels of security for varying situations. Would you like to treat your sensitive finance applications differently than the company newsletter website? Enterprise Application Access can ensure that only devices with the latest OS updates have access to your sensitive applications. How about confirming that the installed browsers are updated with patches for known exploits? Or, would you like to allow devices to access your help desk even if the devices are not running the latest and greatest updates? Enterprise Application Access device posture empowers administrators with this control, allowing them to make granular decisions about access.

The device posture functionality enables administrators to create device-based access controls for a broad set of devices or for specific applications, depending on the desired level of security. In addition, device posture can provide end users with details that help them to understand the possible security issues that restricted their access. This allows users to self-remediate, helping to reduce the burden on support staff.

knock two.PNG

Often, administrators do not have a clear picture of what devices are accessing corporate applications — let alone the devices’ risk profiles. With the information provided by Enterprise Application Access device posture, administrators can gain a deeper understanding of their user’s devices and device-level details. Armed with this information, administrators can quickly evaluate their device population and make swift decisions about the overall safety of their applications, taking proactive action to help avoid security incidents caused by device-based vulnerabilities.

knock three.PNG

To fully embrace zero trust, we must consider realigning our view of best practices to include devices — they are a critical part of risk evaluation. By providing enterprises with the device-level insights, Enterprise Application Access can help reduce risk, improve your overall security posture, and reduce the burden on your organization’s support resources.

In future posts we will discuss how EAA Device Posture can also help your organization leverage security signals from advanced threat detection solutions.  This includes solutions such as Akamai’s Enterprise Threat Protector and solutions from Carbon Black to enrich information available to evaluate device risk.

What if the soldiers of Troy had checked inside the Trojan horse, examining in detail what was about to come through the city’s gates? If they had followed the mantra of “never trust, always verify,” we might be telling a different story.

Visit for more information and to start a free trial.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by James Chan. Read the original post at: