Dr Bernard Parsons, CEO Becrypt, considers the drivers behind the growing interest in device as a service (DaaS)
The ‘Device as a Service’ model (DaaS) for consuming end user devices, including their supply, support and life-cycle management has gained popularity over recent years, delivering on the promise of allowing organisations to focus their precious IT resource on core business activities. DaaS uptake has increased in many sectors in parallel with organisations increasing their general use of cloud-based services. But for some of the more security-focused organisations, incorporating the DaaS model within their risk management processes can be a challenge. Effectively outsourcing the management of end user devices does not of course outsource any regulatory obligations or liabilities an organisation has, whether relating to the privacy of data, or the availability and integrity of essential systems.
Today’s maturity of cloud platform security, does at least mean that correctly configured and maintained cloud platforms can not only simplify compliance activities, but more importantly support informed risk management processes. But just as cloud platforms need to be securely configured, monitored and maintained, so do the endpoints that access cloud services, and while DaaS may make endpoint management transparent, any deficiencies on the part of the DaaS provider may result not only in the costly disruption to dependent services, but in potential regulatory failings.
Fortunately, the endpoint security market is also maturing to make it easier for those that wish to, to configure end user devices to simplify both compliance and risk management. Recent years has seen a gradual shift from a ‘detect’ mentality towards ‘prevent’ as the basis for robust endpoint security. It is well accepted that traditional anti-virus has long since had its day, and adding the latest Machine Learning to struggling layers of anomaly detection has done little to shift the advantage from the determined attacker, albeit good security monitoring must always be part of the cyber defence toolkit.
Endpoint platforms are increasingly providing greater ability to robustly prevent system compromise, making it easier for DaaS suppliers to provide appropriate assurances of ongoing endpoint device health and controls. Such approaches are nothing new. Any confidence we have in the state of an iPhone for example, results from the hardware-backed security architecture that Apple has implemented, as opposed to 3rd party client software.
A recent project funded by NCSC referred to as CloudClient, demonstrated how robust health measurements could be applied to all software running on endpoint device such as laptops, with the corresponding health measurements used to control access to online services. Technology developed for CloudClient is now deployed across multiple UK Government departments, and the project’s findings are reflected in the public NCSC guidance on Zero Trust Networks, an approach NCSC recommend if deploying new IT architectures, particularly where significant use of cloud technology is planned. While significant hype surrounds the term ‘Zero Trust’, the core principles of combining user and device identity with validated health measurements to define policy that controls access to services, can provide a strong foundation for effective risk management.
With permanently over-stretched IT and security resources, the prospect of consuming a secure DaaS service will remain an attractive strategy for shifting internal resource to core business services. As both cloud and endpoint security continues to mature, it will become easier to find DaaS suppliers using published architectures and controls that demonstrably minimises the risk of cyber incidents occurring, and provide the mechanisms to effectively support regulatory compliance.