The Device as a Service model (DaaS) for consuming end user devices, including their supply, support and life-cycle management has gained popularity over recent years, delivering on the promise of allowing organisations to focus their precious IT resource on core business activities, writes Dr Bernard Parsons, CEO Becrypt Ltd.
DaaS uptake has increased in many sectors in parallel with organisations increasing their general use of cloud-based services. As even the most traditionally ‘security-conscious’ organisations increase their cloud workloads, DaaS can become increasingly relevant and attractive to all.
But for some of the more security-focused organisations, incorporating the Device as a Service model within their risk management processes can be a challenge. Effectively outsourcing the management of end user devices does not of course outsource any regulatory obligations or liabilities an organisation has, whether relating to the privacy of data, or the availability and integrity of essential systems.
Today’s maturity of cloud platform security, does at least mean that correctly configured and maintained cloud platforms can not only simplify compliance activities, but more importantly support informed risk management processes.
The security budgets and expertise of the cloud platform providers significantly exceeds that of most organisations, and consequently authorities such as the National Cyber Security Centre (NCSC) now advocate adopting cloud where possible for deploying secure and resilient systems, and provide extensive guidance on doing so.
“With permanently over-stretched IT and security resources, the prospect of consuming a secure Device as a Service will remain an attractive strategy for shifting internal resource to core business services”
But just as cloud platforms need to be securely configured, monitored and maintained, so do the endpoints that access cloud services, and while DaaS may make endpoint management transparent, any deficiencies on the part of the DaaS provider may result not only in the costly disruption to dependent services, but in potential regulatory failings. Fortunately, the endpoint security market is also maturing to make it easier for those that wish to, to configure end user devices to simplify both compliance and risk management. Recent years has seen a gradual shift from a ‘detect’ mentality towards ‘prevent’ as the basis for robust endpoint security. It is well accepted that traditional anti-virus has long since had its day, and adding the latest Machine Learning to struggling layers of anomaly detection has done little to shift the advantage from the determined attacker, albeit good security monitoring must always be part of the cyber defence toolkit.
See also: Undertaking Cyber Security Due Diligence in M&A Transactions
Endpoint platforms are increasingly providing greater ability to robustly prevent system compromise, making it easier for DaaS suppliers to provide appropriate assurances of ongoing endpoint device health and controls. Such approaches are nothing new. Any confidence we have in the state of an iPhone for example, results from the hardware-backed security architecture that Apple has implemented, as opposed to third-party client software. Microsoft has extended the health measurements of its platforms to prevent undetected compromise of system components, though not yet extending this through the full software stack.
However, a recent project funded by NCSC referred to as CloudClient, demonstrated how robust health measurements could be applied to all software running on an endpoint device, with the corresponding health measurements used to control access to online services.
Technology developed for CloudClient is now deployed across multiple UK Government departments, and the project’s findings are reflected in the public NCSC guidance on Zero Trust Networks, an approach NCSC recommend if deploying new IT architectures, particularly where significant use of cloud technology is planned. While significant hype surrounds the term ‘Zero Trust’, the core principles of combining user and device identity with validated health measurements to define policy that controls access to services, can provide a strong foundation for effective risk management. Major platform providers are rapidly evolving the mechanisms for deploying such policies, with Microsoft Conditional Access Control for Office 365 and Azure resources being a popular example.
With permanently over-stretched IT and security resources, the prospect of consuming a secure DaaS service will remain an attractive strategy for shifting internal resource to core business services. As both cloud and endpoint security continues to mature, it will become easier to find DaaS suppliers using published architectures and controls that demonstrably minimises the risk of cyber incidents occurring, and provide the mechanisms to effectively support regulatory compliance.