Initiating your Zero Trust Security Framework

Initiating your Zero Trust Security Framework Moving to the Cloud: The SASE Puzzle Part 2

What is a Zero Trust Network?

Zero Trust as a security practice embodies the personality of a personal bodyguard: trust no one. A Zero Trust network requires all users to be authorized and continuously validated on a variety of checkpoint decisions before accessing corporate applications and data. It requires continuous monitoring from organizations so they can validate a user has the right access and privileges. Zero Trust is implemented and supported by the controls available in the SASE architecture but is not the same thing as SASE.  

The graphic below shows a common, high-level Zero Trust execution with example checkpoints; however, it does not represent a complete Zero Trust architecture and is not the full extent of implementation options. 

Zero Trust Security Framework

ZTNA (Zero Trust Network Access) vs. ZTX (Zero Trust Extended)

While the Zero Trust framework has typically been known for protecting just your network, we are now realizing that Zero Trust can be used for anything. According to NIST SP 800-207, a Zero Trust architecture (ZTA) “uses zero trust principles to plan industrial and enterprise infrastructure and workflows.” Enter Zero Trust Extended (ZTX). A report by Forrester explains ZTX is the application of the Zero Trust framework to your enterprise; meaning, ZTX extends the adaptive trust model of no implicit trust, only granting access on “need to know,” with least privileged basis policy across the organization.  

Forrester identifies key pillars for identifying whether a technology or solution qualifies as ZTX framework:

  1. Network: What does the technology do to enable the principles of network isolation, segmentation, and security? 
  2. Data: What does the technology do that enables data categorization, schemas, isolation, encryption, and control? 
  3. Workforce: How does the solution work to secure the humans that are using the network and business infrastructure, and does the solution reduce the threat that users create? 
  4. Workload: Does the solution or technology secure areas such as cloud networks, apps, and anything else that a business or organization uses to make the business operate technically? 
  5. Automation and Orchestration: How does the technology or solution automate and orchestrate Zero Trust principles and empower the business to have more powerful control of disparate systems? 
  6. Visibility and Analytics: Does the technology or solution provide useful analytics and data points and eliminate dark corners of systems and infrastructure? 


          Zero Trust Implementation

          Begin with an Assessment – Any new project should always start with examining what tools you already have in place. You may already have some of the tools necessary to respond to Zero Trust policy checkpoints. When it comes to Zero Trust, it is not necessarily a set of new technologies; rather, a unique way of looking at security and the amount of trust given to certain people and systems. Look at Zero Trust as a way of requiring additional information from a user before giving them access. Establishing what you truly need sets you up with what technologies, current or new, will accomplish what you need in the most efficient way.  

          An emerging Zero Trust implementation method is multifactor authentication (MFA). MFA requires multiple methods of authentication to verify a user for a login or other transaction. Just like Zero Trust, MFA gathers additional information through an extra verification. Many organizations are choosing to implement MFA as a part of their Zero Trust security plan, and can include methods such as SMS, OTP Token, Mobile OTP, Mobile Push, Smart Card, or FIDO/Web Authentication Device.  

          If MFA does not sound familiar, 2-factor authentication (2FA) may ring a bell. 2FA is just a subset of MFA. 2FA is exactly as it sounds – two pieces of evidence, or factors, to prove your identity before logging into a system. The goal of both is the same: provide an extra method (or methods) of verification to an identity. MFA uses additional information about the user in deciding whether to offer a 2FA of another type, such as password and SMS or SMS and then a third-party token. Traditional 2FA does not consider user access information (new system, previously seen system, new IP address, new country) when determining authentication factors. Overall, MFA is more secure than 2FA since it can leverage multiple identity factors based on additional data points (location, time, IP address, etc.).  

          Newer to the terminology is AMFA, Adaptive Multi-Factor Authentication. Where MFA is not as aware of what could be considered unusual authentication behavior, AMFA comes into play. AMFA allows for offering different patterns of MFA based on a variety of information beyond what MFA alone provides. It also can determine when a step-up authentication is required to access information, but not require it when it is not needed. This is an improvement over the always-on of 2FA that completes the request every time. It is important to keep in mind that not all vendors support or offer AMFA. If you find a vendor that does support AMFA and you can leverage that vendor in connection with other vendor products, then you extend the value of AMFA across the board. 

          After Implementation- After implementing Zero Trust, evaluate your environment. Is it executing the way you expected? Is it doing everything the vendors indicated it would? Do you find yourself looking for simpler ways to troubleshoot? There is no such thing as stagnant implementation, unfortunately you cannot just install and move on! Your organization is constantly changing and adapting to serve your customers in the best way possible, and your growing employee base and device changes all impact your implemented solutions. Look at your auditing history and behavior analytics in your environment. There may be a new requirement on the horizon that you did not have before, so you need to start scoping out what solution will be a good fit and budget accordingly knowing the product you need. 

          Connecting Zero Trust and SASE

          SASE (Secure Access Service Edge) restricts access at all edge access points including mobile, users, locations, cloud datacenters or resources, which aligns to the ZTNA principles. SASE is a cloud architecture model; however, Zero Trust is emphasized as a piece of the execution because it helps enforce the least permission model while still providing strong authentication and authorization controls. As a whole, Zero Trust expects the execution of POLP (principal of least privilege) for network access. ZTNA, or Zero Trust, is adding a portion of SASE by leveraging the microlevel evaluation about the access attempt (who, what, where, when) along with other variables to provide enriched information influencing policies for permitting or denying. Zero Trust is a core element of SASE and should be present in a SASE deployment scenario along with a CASB (Cloud Access Security Brokers). 

          In the simplest way, SASE is the “how” to Zero Trust’s “what.” You can implement Zero Trust without SASE, and vice versa; however, in such a configuration you may miss some of the components necessary to secure all desired points of access. Many use the terms interchangeably, but SASE is delivered as a service, acting as individual checkpoints that are constantly evaluating the risk, timing, user, user location, user device, and authorization. Zero Trust, in turn, is implemented and supported by the controls available in the SASE architecture. Zero Trust may verify everything, but inherently the tools may not provide the level of security offered by SASE. SASE may combine network security functions to cover digital enterprise spread, but without Zero Trust, it will miss additional user/device identity data enrichment during connection request that expands in-depth permission policies to protect the data and resources accessed. 

          At Braxton-Grant, we are a multi-vendor integrator that has deep experience in Zero Trust implementation that you can leverage. Reach out to us today to get started today!

          Key Considerations and Lessons Learned for NIST 800-171 Compliance

          Key Consideration #1 - Understand NIST 800-171 and where you are as a company. 

          Before taking on any new project, the first goal should always be to reflect on where you currently are as a company and where you would like to be in the future. If you are looking for starting point, ask these evaluation questions: 

          1. What is NIST 800-171? 

          Understanding the complexities of obtaining NIST 800-171 compliance gives you the knowledge of what needs to be met. Currently, it contains 110 security controls across 14 categories.  

          Key NIST Concepts 

            • Scope– Refers to what systems and networks are included in an assessment (your entire network may or not be “in scope”).  
            • Projects 
            • Gap Analysis– A gap assessment helps an organization find gaps in their network and solutions to fill them. Learn more about our Complete Gap Assessment.

          2. Are you familiar with what CUI is? 

          Controlled Unclassified Information is a type of marking used by the federal government to identify information and confidential data that is not classified, yet requires protection  from unnecessary disclosure (ieFinancial records, PII, FOUO). 

          3. Have you defined a timeline? 

          With the knowledge you have gained about NIST 800-171, plan out a realistic timeline to implement controls and Plan of Action & Milestones (POAMs). Hint – this will take longer than you think! Ensure that ample time is given to accomplish tasks to best allocate time and realistic expectations. Overall, a gap analysis is critical in understanding what needs to be accomplished and potentially how much that will cost. 

          Next, make sure you have the full support of managementCompleting a NIST 800-171 System Security Plan will require contributions from other parties within your organization, including HR, management, and security.  

          4. Do you have funding? 

          Working through NIST 800-171 compliance requires a great deal of time and effort. This may require purchasing and implementing new products to meet requirements. Bringing in consultants to assist will also require additional funding, but an expert can really help your organization meet the requirements in a timelier fashionIf management has made a commitment to provide funding where necessary, then it is far more likely to lead to successfully attaining NIST 800-171 compliance. 

          There are, however, different avenues to receive funding. For our local Maryland organizations, the Maryland Defense Cybersecurity Assistance Program (DCAP) provides funding and assistance for defense contractors to comply with the DFARS and NIST 800-171 standards for cybersecurity. The program provides funding and resources to comply with the cybersecurity standard and is funded by the Department of Defense’s Office of Economic Adjustment (OEA) through the Maryland Department of Commerce 

          If you are a Maryland company, funding through this program is limited – learn more about how we can help you get funding or reach out to us today! 

          5. Do you have technical and management staff to dedicate based on your goal date for completion? 

          Assigning employees with projects and tasks  is critical to tackling NIST 800-171 complianceThis will require help from management regarding projects, tasks, and owners so that progress can be accomplished efficiently. 

          6. Do you have mature policies and procedures? 

          NIST/CMMC covers both administrative and technical aspects, which require defined expectations. Do not be fooled into thinking that NIST 800-171 is an IT only compliance. For example, malware protection mechanisms are a technical implementation which will satisfy control; however, policies and procedures will dictate how the organization implements malware protection mechanisms and helps prove that this is consistently applied and part of standard operating procedures. 

          7. Is management ready to conduct a Risk Assessment? 

          Risk assessments play a significant role in not only satisfying the risk assessment domain controls, but also in implementing security controls where they are neededHas your organization conducted a risk assessment? Planning to? Does it make sense to bring in a third party consultant to assist?  


          Key Consideration #2 - Understand the importance of document hierarchy.

          Documentation hierarchy is important to dictate the expectations of management and ensure consistency of employee actions. It states why something needs to be accomplished and to what degree, while providing specific instructions on how to accomplish it. Assessors will be looking to determine that organizations satisfy NIST 800-171 controls and that regardless of employee rotation or turnover, implementations and actions are consistently meeting the expectations set forth in policies. 

          Policies -> Standards -> Procedures -> Guidelines 

          • Policies – set of expectations with general management statements. Theanswer the question, “why do I need to do this?”  
          • Standard – Provides specific, mandatory controls. Answers the question, “what is required?”  
          • Procedure – Step by step instructions on how something should be accomplished. Answers the question, “how do I do it?”   
          • Guideline – FYI supplies and added recommended guidance (recommendations/best practices). 
            Documentation Hierarchy

            What is the difference between policies and procedures? 

            Policies and procedures make up the backbone of what expectations are set forth by management and what should be accomplished at a prominent levelPolicies are set of rules and expectations for an organization through which personnel are expected to follow to achieve a set of goals. Procedures will back up these policies by dictating how certain processes should be accomplished 

            How do you determine which controls require documentation and which ones require technical controls? 

            Many requirements will need both a technical solution and documentation, which should include policies and procedures. For most technical solutions, policies/procedures will still be required to prove that the company is satisfying the requirements of NIST 800-171. Evidence is an important aspect of proving compliance, and documentation makes up a large part of showing that your organization has cybersecurity maturity. CMMC (Cybersecurity Maturity Model Certification) Level 3 will require that companies have been satisfying these requirements and it is part of the company culture and standard operations. As you read through and understand the requirements, it is important to understand whether it makes sense for your organization to implement just an administrative control via documentation (i.e., policies and procedures that dictate how certain functions should be compliant) or to implement a technical control through technology. 

            What is the best way to approach documentation in a way that is right for your organization 

            Addressing documentation starts with having realistic expectations when it comes to what your organization can accomplishTo do this, evaluate what current policies/procedures you have and where to add additional language to satisfy the controls or create new documents. Then, you can acknowledge your core requirements and establish how best to write expectations and processes that fit in with the company culture and structure. This may require employees taking on new responsibilities and implementing new procedures that have not previously been done. 


            Key Consideration #3 - Leveraging technology to satisfy controls.

            Most of NIST/CMMC can be satisfied with non-technical administrative means, but that does not mean it is a good approach for your organization; therefore, to implement in the best way  possible, understand what controls need technical solutions and which ones need technical and  non-technical implementations. 

            Which technologies/solutions check off the most controls 

            Before looking into new tools, maximize the tools/apps you currently have. Take stock of what tools, systems, and applications are already deployed within the environment that could be configured to satisfy NIST 800-171 controls. If you have already paid for something that just needs to be configured, this will reduce costs and allow for better investment on other needed technologies. Then, after assessing your current environment, purchase new ones where they are needed. It is also cost saving to look for a provider that can maximize your investment by providing tools as part of a package 

            Common Technologies:  

            • SIEM/SOC – The most logical technical solution to satisfy many of the NIST 800-171 controls is to implement a SIEM (Security Information and Events Management) solutionIt is easy to assume that this is something that can be done internally by an IT department. However, the depth of skill, cost to implement, and the level of resources required to successfully to do this is unrealistic for most organizationsSIEM systems are expensive, require countless hours of tuning, and need specially trained analysts that command large salariesThe better option is to offload this to a 3rd party SOC (Security Operations Center) provider that will be able to provide a valuable service for a fraction of the cost. 
            • Active Directory – There are numerous controls that can be satisfied by just configuring different policies within Microsoft Active Directory Group PolicyThe time and effort to implement these policies goes a long way and requires little up-front cost; but, be aware that documentation of policies, procedures, standards, and guidelines will still be necessary to show the maturity of the organization. 

            Know where Your Data is, who is handling it, how it is being processed – understanding the scope of your SSP (System Security Plan). 

            • Where is your data? SaaS (Software as a Service), IaaS (Infrastructure as a Service), and other cloud infrastructure services give organizations great flexibility in storing data outside the physical officewhich presents additional challenges regarding NIST 800-171 compliance and implementing the appropriate controlsHaving a solid understanding of where data is stored, transferred, and processed within cloud services is key to ensuring the right systems and services are within the scope of controls. 
            • Who is handling your data? Which employees, departments, contractors, etc. will have access to sensitive CUI dataHas your organization thoughtfully prepared appropriate access controls to data? 
            • How is your data being processed? Where does your data flow through? Creating a data flow diagram with the owners of that data can paint a clearer picture of your data’s path through an organizationWith a clear picture, it becomes more obvious what may be in-scope and where to apply the appropriate controls. 
            • Understanding the scope of your System Security Plan – What aspects of your system are in scope and what is not in scope? This will determine the extent to which NIST 800-171 controls need to be implemented. Depending on the size of your organization and network, it may be more effective to just consider the entire LAN (local area network) to be in scope. Additionally, if your organization is utilizing cloud services which CUI data is transported, stored, or processed through then that will put those cloud services in-scope. 

                Challenges will be presented for the domains of Access Control, Audit and Accountability, System and Communications Protectionand Configuration ManagementUnderstanding these challenges and how to overcome them will be the key to success in ensuring your organization is NIST 800-171 compliant and prepared for CMMC accreditation. 

                At Braxton-Grant, we are here to identify and resolve hidden gaps in your networkIf you are ready to take the next step in becoming NIST 800-171 compliant, reach out to us and let us be your trusted advisor.  

                Braxton-Grant’s 3-Step Cyber Assessment

                Braxton-Grant is a cybersecurity consulting organization with NIST 800-171 Subject Matter Experts and CMMC Registered Practitioners to assist in pre-assessments for organizations with DoD contracts. 

                We have developed a low-cost solution to help companies get compliant quickly and stay compliant without disrupting your budget 

                For more information about how this three-step process would work for your company, please call for a free consultation or contact us to schedule a meeting 

                Gap Analysis

                Our Gap analysis includes NIST 800-171 and CMMC Level 3. We look at your existing information systems and security measures; then, we identify gaps in your CUI and Cyber Security protections that could lead to a data breach in the future or a failure to come into compliance.


                Our consultant creates and implements a plan that remediates these deficiencies and addresses other security issues in your information systems. 

                Active Monitoring

                We keep a close eye on your systems to detect intrusions as early as possible. If you can stop an attacker before they reach any systems that store CUI, then you can limit the chances that they gain access to sensitive data.

                What is Web Isolation?

                Moving to the Cloud: The SASE Puzzle Part 1 

                Web Isolation, also known as browser isolation, refers to a technology that keeps web browsing activity inside an isolated environment to protect from malwareCloud access and the use of the internet is a non-negotiable for employees to do their job to the best of their ability. There are always present threats throughout the internet, and these potential threats can have a great impact on your organization; however, blocking and/or restricting web access may not be the most effective way to protect your environment. While you cannot possibly block or restrict every site, implementing web isolation is a viable solution to prevent threats from the web.  

                How it Works

                Through web isolation, web traffic is executed in an isolated virtual environment, either locally hosted on the workstation itself or remotely on a remote server. This can occur on-premise or in a cloud-based environment. Then, it connects to each browser running within a container. Web Isolation can also apply controls like read-only for suspicious sites, which is a way to protect against phishing.

                Web Isolation

                Web Isolation or Remote Web Isolation? 

                Remote web isolation is web isolation that simply occurs remotely; so, remote web isolation moves browsing activity from the user’s computer to a remote server. This remote server can be hosted in the cloud or located on-premise within an organization’s network.

                Why is Web Isolation Important?  

                This security allows users to browse to any website, even a malicious site, without the risk of being infected. If any malicious objects were executed, they would be executed in the isolated virtual environment and not the user’s actual workstation, keeping them safe from the attack. A new clean virtual environment can be created every time the user opens a new session, and then destroyed (along with any malicious objects) once the connection is closed.  

                Overall, web isolation enables safe access to risky web content while protecting sensitive data. In this way, your organization can have more open internet policies 

                Connecting Web Isolation to SASE and Cloud-based Security 

                As a part of the SASE puzzle, web isolation provides secure end user web browsing. The goal of SASE is to secure an organization’s environment no matter where their workforce is; therefore, whether your employees are completely on-premise or remote, web isolation has the flexibility to protect internet browsers wherever, whenever.  

                Additionally, Zero Trust requires all users to be authorized and continuously validated before accessing corporate applications and data, and web isolation is one way to put this into practice. Implementing Zero Trust is all about verifying and re-verifying the end user, which is the core of web isolation.  

                How can Braxton-Grant help? 

                At Braxton-Grant, we are experts at evaluating your current environment and looking for solutions to close your security gap. We are here to be a trusted advisor for your cybersecurity needs, and have engineers from the field with years of experience and toolkit of lessons learned. Having a partner experienced in common challenges goes a long way in terms of solution evaluation and deployment.  


                If you are looking to implement web isolation for your organization, reach out to Braxton-Grant today to learn how we become an extension of your team, work toward your goals, and be a trusted resource with deep experience that you can leverage. 

                Ask an Expert: What is SASE?

                A Q&A with one of our Cybersecurity Professionals 

                SASE has been a word tossed around in the cybersecurity world since Gartner coined it in 2019, but what does it actually mean for your organization’s security? Sit down with Aileen, one of our engineers from the field, as she breaks down frequent questions and matter-of-fact solutions.  

                The Basics – What is SASE?

                Q: In your own words, what is SASE?

                A: SASE stands for Secure Access Service Edge, but another way I like to think of it is Secured Accessible Service EverywhereYou need to provide business access to your organization (via tools, applications, Cloud apps, etc.), and you need it to be accessible regardless of user location. We all know risking security requirements is not an option. So, I look at SASE as individual checkpoints that are constantly evaluating the risk, timing, user, user location, user device, and authorization while still providing the reliability of applicationsprotection, and data as a service to users who rely on that information. 

                Visualize it: See our SASE Graphic

                Q: Why is SASE such a big trend right now? 

                A: SASE has been a coined phrase for a while. There has been a slow migration with the growing adoption of Cloud SaaS apps, such as Office 365 or Google G suiteThis was accelerated, or also complicated, by the global surge to remote work fueled by a variety of influences, beyond simply health concerns.  Businesses are now reducing brick and mortarand employees can be anywhere while still being functionally presentTraditional boundary network devices were not designed to support the combination of remote users, local users, and cloud SaaS requirements on a large scale. This new paradigm ousers becoming decentralized while at home causes performance issues when attempting to route all user traffic back through the home office. Covid has demonstrated to businesses that some jobs can be done remotely, which saves costs on office space and on-premise technology. This will not be a process we see reverted. Cloud resources can scale with growing businesses at a cost that is more affordable than if the business themselves had to scale onpremise. 

                Q: There are numerous solutions imbedded in the overall SASE solution – what is the importance of ensuring you have all pieces implemented?

                A: You have to remember that SASE is like a guide and many vendors implement it differentlyThe importance is found within completeness of the selected installed vendor solutions and ensuring it meets the use case requirements that you outlinedRushing to implement quickly introduces opportunity for risk, as most timesensitive projects may forgo traditional execution processesYet, allowing your business to execute a plan of actionbuild, design, configuration, and installation provides the checks and balances necessary to execute the full SASE solution where less will be overlooked. 

                Q: How has the movement of a remote workforce impacted the need for SASE?

                A: A remote workforce originally consisted of employees who had corporate assets and may have used a VPN (Virtual Private Networks) to access corporate resources when not in the officeNow, remote workers could be on a variety of devices that may not be corporately managedIf businesses adapt SASE and ZTNA (Zero Trust Network Access)they are likely to permit a larger amount of personal device access by employees, which in turn, amplifies the need for effective SASE control and protection. If more employees work remotely, then threat actors will begin to target employees directly since they are more vulnerable at home versus sitting in company headquarters. 

                Q: How has the movement of IoT (Internet of Things) devices impacted the need for SASE?

                A: I heard a valid statement in a recent online seminar I attended: no matter the type of IoT device, it still has a running OS (operating system), even if the OS is not directly exposed to tweak or modifyAs often as new devices are created, there are many more that are left behind and their OS is no longer protected by that vendorWhether or not support is provided, the product functionality remains, as does the risk. These devices provide opportunity for those who wish to take advantage of the weaker security controls inherently available from IoT vendors. 

                Getting Started – Implementing SASE

                Q: When an organization comes to you with a need to implement SASE, what is the first step you take?

                A: I look at the first step as threefold: where the customer is today, where they want to be in the future, and what requirements they are identifying that need to be metThese drive a holistic view of assessment to address the full delivery of the solution desired by that customer.

                Q: What is one piece of advice you would give someone before starting the process of adopting SASE?

                A: The key here is having a project sponsor – you may have identified a need for a product to address areas that are not met today, but without key sponsorship from your organization or business, you do not have internal support or budget to execute the vision. 

                Q: What is the most important thing to keep in mind before starting this process? 

                A: Become familiar with what you know about your current environment and be willing to identify what you do not know about your environmentIf there are unknowns, a partner like Braxton-Grant can assist in exploring those unknowns so a successful deployment is not sidelined by the lack of risk avoidance discussions. Talk about the elephant in the room before it derails your project initiatives. 

                Q: What is the advantage of partnering with an engineer (such as yourself) while implementing this solution? 

                A: I believe the benefit of a partner organization like Braxton-Grant rewards customers with a plethora of information gained from years of lessons learned, not only from ourselves but our work with other customersWe help steer customers clear of solutions that may not meet need or point them to vendor products that are a better fit to exceed their original expectations. Reading documentation is not a substitute for real-world implementation scenarios that could occur, but having a partner experienced in those challenges goes a long way towards a smoother execution of deployment. 

                On your way? Keep this in mind when looking for key remaining elements… 

                Q: What should you look out for in the process of implementing SASE?

                A: Resist getting sidelined by flashy add-ons; make sure the product you selected meets your requirements and refrain from being in a rush to turn on extra features without understanding the impactSimple does not always mean less security, but it does mean less chance to activate a setting or feature that may have understated impacts to your businessAdditionally, bestofbreed does not always mean simple to install, and not all bestof breedofferings integrate well with other vendor productsThe overlooked items are one of the things I like to consider a specialty area for myself and my fellow engineers. People underestimate multi-vendor complexity and easily miss opportunities for integration or functionality gaps that are not transparently presentedWe whole heartedly continue to train as engineers in multi-vendor products so we can have various methods to solve a unique problem 

                Ok, you have implemented SASE. What comes next? 

                Q: After implementing, what is the next step?

                A: After implementing SASEevaluate your environment. Is it executing the way you expected? Is it doing everything the vendors indicated it would? Do you find yourself looking for simpler ways to troubleshoot? In a way, calling it buyers’ remorse may be appropriate, but the product you bought, installed, and configured may not be working as it was sold to do, and you still need to find the appropriate product to do the job successfullyOn the other hand, you may be pleased with your current deployment and want to get upcoming knowledge on the latest emerging. There may be a new requirement on the horizon that you did not have before, so you need to start scoping out what solution will be a good fit and budget accordingly knowing the product you need.

                Implementing SASE correctly secures your workforce, no matter where they are. Choosing to partner with Braxton-Grant means we can become an extension of your team, work toward your goals, and be a trusted resource with deep experience that you can leverage.  

                Bring-Your-Own-Device (BYOD) Best Practices and Tips


                What is a Bring-Your-Own-Device Policy?

                A Bring-Your-Own-Device Policy (BYOD) policy establishes security rules for employee-owned devices that are used for company tasks. Whether cell phones, personal laptops, or tablets, all these devices interact with your network. BYOD offers many advantages for an organization, such as cost-effectiveness and ease of information access; however, outside devices can also present possible security threats.

                What are the Data Risks of BYOD?

                Security risks of BYOD can take several forms, such as:

                  1. Lost, stolen, or unauthorized access to devices.
                  2. Attacks through malware, phishing, and scams.
                  3. Lack of security compliance for employee devices that are accessing the company’s network.

                Best BYOD Practices

                  1. Have employees report a lost or stolen device immediately. This will allow remote locking and erasing of data that may be compromised.
                  2. Educate, educate, educate! Promote safe device usage through up-to-date employee trainings on subjects such as phishing and mobile device security. If you do not know where to start, take a look at your company as a whole and identify the weakest points in your current system. Are there gaps in security when it comes to password protection of employee-owned devices? Identify these weak points when it comes to BYOD and create training around that.
                  3. Implement a device exit strategy. If you have an employee leaving the company or they are replacing a current device, your organization should have a strategy for devices leaving the organization, so they do not take any confidential information with them.
                  4. Have a written BYOD policy, which includes requirements and security policies regarding personal devices at work. It forces you as an organization to think some policies through before allowing employees to use their own devices. A written policy should reflect your unique organization, but make sure to include:
                      • Acceptable user policies for devices connected to the company network – what should and should not be tolerated when connected to company network or when using a personal device for work purposes.
                      • Acceptable types of devices and support. This could include cell phones, laptops, tablets, or other devices depending on what is best for your organization.
                      • Security requirements for employee-owned devices. Make sure to include that devices must be password-protected!
                      • Risks, liabilities, and disclaimers for utilizing personal devices for company projects.
                      • A signed agreement from your employee.

                BYOD… One Piece to the SASE Puzzle

                Protecting employee-owned devices is one way to comply with “Secure Access Service Edge,” otherwise known as SASE.

                SASE is a term coined by Gartner in 2019 and is an emerging security and network framework. Today’s environment shows that more users, devices, and data are outside the network perimeter instead of on the inside (such as BYOD). What is the solution for protecting everything outside that perimeter? Cloud-based security.

                Learn more about SASE and cloud-based security.

                Securing your BYOD Environment

                The way you do business is unique to you, and your security existence should reflect that. No matter where you are in the world or whether you have employees on-premises, hybrid, or remote, we work with a variety of partners so we can apply the best products and solutions for you.

                Reach out to us today to learn how Braxton-Grant can find the best solution for your organization.