Augusto Morales is a Technology Lead (Threat Solutions) at Check Point Software Technologies. He is based in Dallas, Texas, and has been working in cyber security since 2006. He got his PhD/Msc in Telematics System Engineering from the Technical University of Madrid, Spain and he is also Senior Member of the IEEE. Author of more than 15 research papers focused on mobile services. He holds professional certifications such as CISSP, CCSP and others.

In our increasingly interconnected digital domain, the convergence of Zero Trust Network Architecture (ZTNA), mobile devices and identity management has emerged as a critical focal point within cyber security. At-a-glance, these three elements may seem unrelated, but the rising prevalence of mobile devices as key tools for user and system authentication, often through multi-factor authentication, has blurred the lines between them.

In this interview with expert Augusto Morales, we delve into the security challenges and opportunities arising from this convergence. Don’t miss this!

1. How does the convergence of ZTNA, mobile devices and identity management impact the overall security posture of an organization?

At first glance, these three components—ZTNA, mobile devices, and identity management—seem to belong to different areas of cyber security. However, due to the increasing use of mobile devices as conduits to identify users and systems through methods like MFA, the lack of visibility between the interactions increases the attack surface for organizations.

For example, in a hypothetical scenario, a mobile device gets compromised because of a malicious application or an event, like smishing. Device compromise poses a risk to users’ identities. The core concept of ZTNA proposes that organizations should actively monitor deviations from baseline policies during sessions. In other words, if a mobile threat detection system exists, it should enforce controls to prevent these attacks. The current challenge has to do with the exploitation of Multi-Factor Authentication (MFA) mechanisms by malicious actors.

Another common example is seen among organizations that, in providing MFA, allow users to accept a push notification to confirm their identities. Cyber criminals take advantage of this by sending numerous MFA requests, a practice known as MFA bombing, to end-users until users accept and unintentionally authenticate the criminals.

MFA bombing, a.k.a. MFA fatigue, also presents other challenges. Some concepts within ZTNA address the situation, such as by inspecting behavioral and environmental attributes like geo-location. However, problems can arise when the human element is involved, and implementing ZTNA is not always possible due to privacy, technical, and regulatory constraints, such as BYOD, the impossibility of applying TLS inspection, and GDPR.

The paragraphs above describe examples of convergence and the challenges involved in achieving ZTNA. There are also initiatives aimed at reducing the cyber attack surface in these convergences. As a result, this topic will become something that organizations should address at the architectural level.

2. What are the implications of Bring Your Own Device (BYOD) policies in the context of ZTNA and identities for governments?

The popularity of BYOD is increasing; however, there is a limited ability to implement security controls and achieve ZTNA with a tolerance and risk level that’s acceptable for most companies. This challenge spans private and public organizations, as well as governments.

For instance, governments are accelerating the use of digital identities, particularly in the European Union. The basic idea is to use our mobile phones to prove who we are instead of relying on physical cards. This means that cyber criminals might start targeting mobile devices more often, as they are now crucial for verifying identities in government and private activities.

Imagine if cyber criminals were to steal a digital driver's license; they could use it to impersonate individuals and carry out malicious actions, like taking out legitimate loans or even boarding planes.

Hackers could also steal identities to mislead authorities during cyber crime investigations. The same applies to data tampering. This situation could pose a very risky scenario for users, resembling what has been seen in financial institutions, where despite 40 years of research, industry consortiums, and billions of dollars invested, cloned cards, ATM hijackings, and recent abuses of AI to harvest financial data still persist.

The problem is that BYOD implementations haven't received as much attention as they should have in terms of access control. Protecting private phones is complicated because organizations need to find a balance between keeping user information private and ensuring the protection of company data and identities. The entire industry is still figuring out whether it should prioritize security over convenience.

Based on our experience in many customer engagements, we have noticed difficulties in implementing cyber security concepts in the mobile world. For example, security controls like encrypted data-in-motion inspection pose problems, as certificate pinning is now widely implemented in applications. Therefore, it is imperative to understand how the mobile ecosystem works and how to implement reference architectures and guidelines provided by NIST.

Another related challenge is associated with the world of mobile software. It is essential to understand how and when to apply ZTNA principles to mobile software and its execution in non-trusted environments, such as the mobile OS itself or the network.

3. In the context of identity management, what are the best practices for ensuring strong authentication and authorization controls for mobile users accessing corporate resources under a zero trust model?

The recommendations that we consistently convey to our customers are closely tied to their business use cases and how to provide both protection and convenience. It is also crucial to assess the maturity, comprehension, and applicability of ZTNA and, lastly, the applicable mobile strategy (e.g., BYOD, CYOD, and COPE). Nevertheless, we can outline some generic best practices below:

A) Implement MFA company-wide for users and systems. This applies to all forms of Private Access, VPN, or SaaS applications.

B) Implement number or code matching.

C) Protect the enrollment process and use physical means to verify the legitimacy of the parties involved. For instance, a combination of voice, location, physical presence, and specific out-of-band knowledge can be utilized.

D) When possible, apply Mobile Threat Defense, or include self-protection features in applications that manage or interact with sensitive data at-rest and data in-motion.

E) Review default configurations and adapt them to meet the required identity governance policies. In the case of mobile phones, posture management helps continuously validate changes in software, such as CVEs and unsecured settings.

F) Identify anomalies in authorization and access control, particularly for SaaS applications.

4. How can organization balance user convenience and cyber security when implementing multi-factor authentication (MFA) for mobile users in a Zero Trust environment?

There are technical methods to protect mobile devices as the primary MFA mechanism. In some cases, maintaining this balance can be achieved through a thorough assessment of the attack surface. For instance, many companies use SMS as an MFA mechanism. In such cases, a Mobile Threat Defense solution like Harmony Mobile can inspect SMS messages and proactively identify potential malicious links. In other cases, it can notify cyber security staff if vulnerable applications are installed, enabling proactive conditional access enforcement.

To strike a balance between convenience and security while protecting MFA on mobile phones, we recommend three approaches:

  1. Implement a Mobile Threat Defense (MTD) solution, such as Harmony Mobile. This control helps thwart attacks targeting MFA, even new techniques like “quishing” It monitors the network for potential Man-in-the-Middle attacks and deviations in the quality of the mobile OS that could compromise the integrity of the MFA workflow, such as with rooted or jailbroken phones. Additionally, MTD can identify malicious campaigns targeting high-profile individuals, which is particularly relevant in today's environment where criminals employ AI-driven “vishing” attacks.
  2. Utilize Mobile Application Management (MAM), where applications are managed via Mobile Device Management (MDM), and posture checks are continuously conducted by a Mobile Threat Defense (MTD) solution. In cases of violations, especially in BYOD scenarios, MTD can alert risky states to managed applications. As a result, these apps can cease providing access to MFA mechanisms like push notifications and password-less methods. A common example is the use of Microsoft Authenticator for MFA, known for its convenience. The MTD can block access to the service's IP addresses and domains if continuous validation is necessary and a violation is detected. This aligns with one of the key tenets of ZTNA.
  3. Incorporate a secure engine within the app providing the MFA mechanism. This is especially suitable for BYOD environments. Harmony App Protect is an example of this control. In this mode, the MFA independently monitors the network conditions and the mobile OS. It halts any authentication process in case of violations. This approach offers benefits in terms of privacy and user convenience as it doesn't require additional software. The ZTNA policy decision point (PEP) and policy enforcement points (PEP) run locally on the phone based on pre-established policies to control the MFA workflow. However, a potential drawback of this method is its inflexibility regarding policy changes, such as IoC/IoA updates or containment policies, which may necessitate a new application update. Additionally, it could impact incident management plans and business continuity, requiring user interaction.

5. What are the potential risks and benefits of integrating mobile device biometrics (e.g., fingerprint or facial recognition) as part of the identity verification process within a ZTNA strategy?

The entire mobile ecosystem and society have demonstrated that biometrics are the de facto method for identity verification. When available, biometrics offer distinct advantages over traditional validation methods. However, it's essential to understand that the triad of authentication factors – something you are, something you know, and something you have – should always be combined. Relying solely on biometrics can create a false sense of security. Studies, such as this one and this one, have shown that even real-time attacks on biometrics are possible. Therefore, it is crucial to consistently apply a defense-in-depth approach.

The ZTNA strategy can depend on continuous diagnostics and mitigation, as well as threat intelligence feeds to assess the likelihood of a mobile attack. Both Android and iOS have implemented hardware mechanisms to protect the Secure Enclave and biometric data from tampering and exfiltration. In the case of Android, due to OS fragmentation, addressing vulnerabilities at the hardware level is more challenging, which increases overall risk. There have been instances where vulnerabilities in system-on-chip components were exploited, raising the risk of privilege escalation. Such situations could compromise the identity verification process.

6. Is there anything else that you would like to share with the CyberTalk.org audience?

The industry and security practitioners should collaborate to address the security perception offered by certain actors. There is no single silver bullet provided by a “mobile ZTNA product” that can solve identity management. A ZTNA strategy will always depend on how well mobile data flows are understood and how much visibility is maintained over the entire mobile ecosystem, which gposts in complexity each day. This ecosystem encompasses applications, APIs, backends, mobile OS, and, of course, the human element. It may seem overwhelming, but a good starting point is to apply proven mobile security practices to common use cases.

You may also like