Secure by design refers to a security architecture and approach in which security outcomes are a primary consideration and foundation of a given system.
For instance, modern mobile operating systems are secure by design in the way their apps are allowed to run in a deliberately constrained and controlled sandbox environments, insulated from the OS and other apps.
Secure by Design versus Secure by Configuration
Most of Enterprise IT today is not Secure by Design, it is Secure by Configuration. This is particularly true in Windows-based environments where extensive legacy technology and a diverse range of vendors must interoperate with each other. Keeping those systems and their virtually infinite possible combinations of hardware, software, and peripherals requires extensive configuration and maintenance to close known security gaps, as well as those that inevitably emerge as tooling, software versions, and requirements change.
Apple, on the other hand, provides a tightly controlled and vertically-integrated technology stack that is inherently Secure by Design. Through a much more finite combination of hardware, software, and peripherals – and with strict interoperability standards for 3rd party products – security outcomes are baked into the design, development, and maintenance of their products.
Secure by Design in Enterprise
While Secure by Design architectures provide some capabilities in a closed, immutable means (such as the app sandboxing example above), a device cannot be so closed off that it cannot be integrated into other systems. For that, well defined and secure by design APIs are provided for third parties to adopt, providing functionality that is compatible with the manufacture’s secure by design architecture.
Apple provides an extensive collection of APIs and frameworks that cover the main IT functional areas required for an endpoint to be supported and secure in an enterprise environment:
Device Management - Enrolling endpoint assets into a system where policies may be enforced, apps deployed, and lifecycle managed.
Identity - Providing high-assurance and often cryptographic evidence of both user and device identities when connecting to enterprise systems.
Connectivity - Providing the endpoint with capabilities to allow for ubiquitous and secure communications with public and private resources.
Security - Frameworks that enable security practitioners to audit and respond to user and system behavior that may be indicative of malicious activity, as well as providing tooling for developers to build secure apps atop their OS.
Apps - A secure runtime environment for 3rd party applications, as well as distribution and attestation services.
Secure by Design and Jamf
While originally focused on endpoint management, Jamf’s platform has expanded its remit to support more complete endpoint security and management outcomes by integrating many of the Secure by Design APIs and Frameworks Apple now offers in their newest operating systems.
By blending and focusing on the development of management, identity, connectivity, and security APIs, Jamf is able to ensure Apple devices operate smoothly and securely in the enterprise.
For instance, a blending Secure by Design implementation offered by Jamf is our Network Relay service, which includes:
A secure traffic routing cloud service that leverages Apple’s built in Network Relay framework (Connectivity)
That is authenticated with high-assurance using ACME Device Attestation (Identity)
With device health and compliance verified through analysis of the Endpoint Security API (Security)
Deployed zero-touch via MDM and DDM (Management)
Secure by Design and the Zero Trust Ecosystem
Jamf provides these capabilities to help provide customers with best-on-Apple Secure by Design options when designing a Zero Trust architecture in their environment.
Most organizations – especially enterprises – will leverage cross-platform tooling that tends to be Secure by Configuration in its nature. While this tooling provides broad coverage and visibility across an organization’s entire fleet of endpoints, those solutions leave gaps on Apple endpoints because they are not built with Secure by Design principles.
Jamf fills those gaps, and through integrations with leading IT and cybersecurity vendors, Jamf is able to augment and improve the efficacy and functionality of those tools.
Combined, Jamf is able to provide comprehensive Secure by Design outcomes that are well aligned with Apple’s design principles, while complimenting tooling that is designed to cover challenges that are more cross-functional in nature.