Protect your business with Zero Trust security on Android
Zero Trust security is an increasingly important way for organizations to protect their data. As a quick refresher, this method requires device, user and network verification for access to corporate resources — and only the minimum access necessary. In a nutshell, trust is never implicit.
Large enterprises, small businesses and government organizations are all evaluating and implementing Zero Trust. And this investment couldn’t come at a better time. In fact, United States Executive Order 14028 now requires government agencies and their suppliers to set up a Zero Trust architecture. With Android Enterprise, the 94% of organizations currently implementing a Zero Trust architecture can quickly expand it to their mobile devices.
Android’s Zero Trust capabilities
A Zero Trust approach requires analyzing device signals to understand a device’s security posture and the context of the access request. Android provides a wide range of signals that businesses can use to help establish trust. There are currently more than 100 unique device trust signals available across 30 APIs on Android devices.
With a Zero Trust security model, various device and user signals can help a company determine access.
One example is a device PIN code, a solution we demonstrated earlier this year with Okta at our annual partner summit. In the demo, Okta blocked a non-compliant Android device without a device PIN code from accessing an enterprise app, and shared the steps needed to gain access.
A PIN code is just one of many signals Android can share to validate security compliance. Other common signals include:
- OS integrity
- Device make, model, OS version and security patch level
- Second factor of authentication (if, for instance, multiple login attempts were made from different geographic locations)
- URLs classified by Google as known threats
- EMM provider confirmation
Today, through their EMM provider, enterprise customers can delegate direct access to on-device signals to their security providers. And we’re updating the Android Management API so businesses can give their security providers direct access to trust signals from a single place and across different management modes. You can learn more about the existing signals available on our developer portal.
Android’s security foundation
Our investments in Zero Trust build on other methods that keep device and enterprise data secure:
- With Google Play Protect, Android provides always-on protection against malware’s ability to hijack a user’s identity. Signals from Google Play Protect are available to help partners evaluate the trustworthiness of a device.
- This past year, Android used AI models to protect users from 100 billion suspected spam messages, which is critical during the rise of smishing. In fact, last year, a third-party research report concluded that Android devices provide more features for scam and phishing protection than other mobile operating systems. 1
- We recently started rolling out support for passkeys. With passkeys, you don’t need to enter passwords, which limits the ability to steal credentials. Passkeys use public-key cryptography to authenticate a user, which helps validate the end-to-end security and integrity of the connection between a mobile device and the identity provider.
- All these features work in tandem with Android’s extensive device management controls, which allow businesses to tailor devices to their data protection needs and safely work on the go.
If you’re an enterprise identity provider and want to join the early access program for Zero Trust, please reach out to us at android-zero-trust@google.com.
