Rethinking the perimeter firewall approach

Zero trust, firewall

Regardless of the makeup of your device fleet, traditional techniques are no longer sufficient as attackers find ever more creative ways to breach the defences of an enterprise. The increasing number of security breaches and cyber attacks brings new focus to the meaning of a Zero Trust posture and how it differs from simply flinging up a firewall around an organisation.

Many organisations have followed a model where trusted resources are safely tucked away behind a firewall – and there are a multitude of firewalls to choose from. Your Mac has one built into the operating system. 

However, this ’perimeter-based’ security approach is no longer sufficient and the move to remote or hybrid working has meant traditional models are not just not fit for purpose, they are simply not working any more.

Firewalls. Are. Not. Enough.

There is an old proverb, ’trust, but verify’. It probably needs a rework in this day and age, perhaps ’never trust and always verify’ is more appropriate. As its name suggests, Zero Trust means ensuring your users have only the access they need, rather than simply trusting they do. That access must be secured. And – and this is too often skimped – all activity must be logged and verified.

At first, this might seem burdensome to users and it would be all too tempting to simply spray an organisation with Multi Factor Authentication (MFA) to secure the login process and consider that enough. However, merely beefing up identity is quite definitely not enough – there have been well-documented examples of companies at the cutting edge of identity management falling victim to attacks simply by not keeping control of access or auditing activity sufficiently vigorously.

Never trust and always verify.

Also worthy of consideration are the devices in use. The good news is, with enterprises realising keeping employees means letting them choose their device, Apple M1-based hardware is making inroads. However, while M1-based devices are inherently more physically secure, administrators must not make dangerous assumptions regarding identity, particularly when granting access to corporate VPNs and other resources.

Unsurprisingly, Apple Enterprise Management companies such as Jamf have leapt onboard the Zero Trust train. Jamf also acquired Wandera a year ago in an effort to bolster its Zero Trust story. This type of move is significant because, while Apple prides itself on the security of its platform, the increasing ubiquity and popularity of its devices has meant its ecosystem has come under renewed scrutiny by attackers, making a robust Zero Trust posture all the more important.

As well as controlling access and identity of both devices and users, keeping on top of the threat landscape and constantly scanning one’s environment for threats is key. Ensuring software is kept up to date, both at the application and operating system level, is vital as well as being aware of what is actually running in one’s estates. Again, Apple administrators are well catered for, with companies such as dataJAR and Jamf among others offering a variety of tools to keep devices updated.

Zero Trust is not something that can be simply switched on, for many companies it is a journey that begins with fully understanding where one is and where one needs to be. And it does not need to be an arduous journey; everything from provisioning of devices to sunsetting accounts can be automated. The key is facing up to the facts – firewalls represent the old way of thinking. The world is now a very different place and embracing a Zero Trust approach must be the standard, not the exception.

Rewatch our latest webinar on Jamf’s Private Access to learn how this new functionality can integrate with Jamf Pro and Jamf Connect to provide a truly comprehensive set of features and security for modern Apple device management. Find out more here.

Read more on Apple security here.