5 Principles to Achieve Zero Trust for the Workforce - Establish Device Trust (Part 3)
Editor’s note: The journey to zero trust is a multi-step process that encompasses three key areas: the workforce, the workload and the workplace. Week one we explored the history of zero trust and how to establish user trust. Week two we explored the history of endpoint security and gaining visibility into devices. Today we will explore the third principle in this five-part blog series — how establish device trust.
Zero trust is not a single product, rather it is a security framework based on the model of “trust no one.” User trust is not granted until the user can be authenticated and authorized first through multi-factor authentication. The history of the zero-trust journey coincides with the mass adoption rate of mobile devices (endpoints) and devices connected to the internet (screens, IoT, APIs, application and services) that have access to the corporate network. As we learned in the last post, the zero-trust philosophy was born from the need to think past the firewall and expand the perimeter to anywhere, to ensure protection from stolen or lost credentials, and to protect access to all applications, for any user and device across the network. Establishing device trust is the third principle to adopting a zero trust security posture for the workforce.
What Is a Zero-Day Exploit?
A zero day exploit is defined as software, firmware or a hardware flaw from the software manufacturer that is either known or unknown to them and that has not been patched. Hackers can manipulate this hole and cause harm until the patch is not only released, but applied by users by updating their versions of the compromised software. And plenty of users do not update software right away, if at all. A zero day exploit covers a lot of ground. And it is just damaging. If you are CISO or CSO or an executive at a company, the idea of a zero day attack is pretty stressful, yet, worthy of concern because it is not good and it can cost billions in damages and reputation. But no need to worry, we made an multi-factor authentication app (MFA) for that.
What Have We Learned About Technology and Security So Far?
If there is one consistent theme throughout the history of endpoint security and the history of zero trust (see previous blog posts) it is that the most damaging computer breaches often start with stolen credentials and/or outdated software.
Today software is often a patchwork quilt of proprietary code, open source code and third-party vendors. All of this has equal parts good stuff and bad stuff. Third-party vendors are often brought in as pieces to the overall strategy puzzle as contractors, consultants and more. They speed up the time it takes to release software (ship it) or add value and features. These are not employees, yet have access to key technology and the opportunity to leave backdoors open in code, whether for malicious reasons or not. Backdoors and shipped products with known software flaws is pretty common. The goal is to ship the best first version as fast as possible while working out the bugs in real time. The bugs can be vulnerable to hacking.
Then there are the open source code libraries (like GitHub). On one hand, open source code leads to innovation in tech and progress through shared resources. It is a democratic approach to improving an idea by letting others use it and work on it. On the other hand, the code is super accessible, flaws and all. The epic Equifax breach was blamed on a security code hole in the open source code software Apache Struts Model-View-Controller (MVC) framework for Java.
The third principle of zero trust architecture is to establish device trust. This is a game-changer and a blocker for zero day exploits.
STEP 3 — ESTABLISH DEVICE TRUST
Establishing device trust is crucial to securing the workforce because once the user trust has been established in step one, and the visibility into devices accessing the environment in step two, establishing device trust is the third step to a multi-layered security posture that continuously monitors adaptive risk and trust assessment by checking the security health of all user devices attempting to access your applications.
Not only does establishing device trust include inspecting, logging and tracking devices but also controlling access based on mobile and BYOD (personally owned) devices. In other words, you can deny access to your environments by requiring devices to keep their software up to date. Ensuring that same software that has holes in it, gets updated patched right away.
Cisco Defines Zero Trust As
Workforce: Verify user identity and device hygiene before granting access to your cloud and on-premises apps.
Workplace: Verify compliant device profiles before granting software- defined access to your segmented network.
Workload: Verify app behaviors to implement micro-segmentation across on-premises data center and multi-cloud infrastructure.
Duo offers the first line of defense to securing credentials and enforcing software updates, thus establishing device trust and the third principle to achieving a zero-trust framework.
Ciso calls it establishing excessive trust. No user or device is automatically trusted inside or outside the perimeter. Now trust must be controlled by microsegmentation when everything is being targeted.
HOW DO I ESTABLISH DEVICE TRUST?
Ask yourself a few quick questions.
- Can you enforce endpoint controls for risky devices or corporate-owned devices?
- How are you establishing mobile device trust?
- Are you able to automatically notify users of out-of-date software to reduce your help desk tickets?
- Can you enforce access policies based on the application risk or whether the device is corporate or personally-owned
- And can you do this without requiring endpoint certificates?
- Does your solution enable your users to manage their own devices?
Enforce Endpoint Controls
By leveraging the visibility of devices connecting to your applications (as discussed previously), you should be able to establish device-based access policies to prevent any risky or untrusted devices from accessing your applications.
Duo’s Unified Endpoint Visibility helps you better understand your user and endpoint inventory and activity. Traditional endpoint visibility solutions are siloed because they were designed exclusively for Windows or Macs or mobile devices. Duo offers a comprehensive solution - you can see, track and report on all end user devices from a single dashboard: managed devices, unmanaged devices, Windows PCs, Macs, iOS devices, Android devices, ChromeBooks and more.
After Duo is deployed, administrators can use Duo’s Unified Endpoint Visibility to view and monitor all devices that access corporate applications on a single dashboard, allowing for more easy tracking and enforcement of security policies when users login to access applications. At the same time, users have the flexibility to use any device they like as long as it meets corporate security policies.
Duo helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications. The Trusted Endpoints policy tracks whether clients accessing the applications have the Duo device certificate present, or can block access to various applications from systems without the Duo certificate.
At a high level, Duo's certificate-based trusted endpoint verification works like this:
Determine Risk‐Based Device Access
For access to high-risk applications, you may require a device to be corporate-owned or managed by your organization’s IT team. High-risk applications may include electronic health record (EHR) systems like Epic that contain patient health information; cloud infrastructure like Microsoft Azure and Google Cloud Platform; and many others.
Identify Corporate vs. Personal Devices
Get a breakdown of corporate-managed and personal devices accessing your applications, and enforce policies based on device type. Duo's Trusted Endpoints lets you issue device certificates that are checked at login for greater insight into and control over your BYOD environment, while limiting access by any personal devices that don’t meet your security requirements.
Duo Security revealed after analyzing one billion user logins to customer work applications - nearly 43 percent came from outside of the corporate office and network.
Support BYOD & Mobile
Get insight into personal and corporate-owned devices, including mobile devices. BYOD devices may not meet security requirements or may be running older software versions prone to vulnerabilities but Duo helps admins and users stay up-to-date at all times.
Require Multi-Factor Authentication for Device Access
By requiring MFA for access to more sensitive applications, you will get a higher level of assurance of your users’ identities. MFA enable push notification, U2F security keys or biometric-based WebAuthn before granting them access to certain applications. MFA also ensures that you are compliant and protects sensitive information and access.
Establish Mobile Device Trust With or Without MDM
Use a solution to establish mobile device trust with or without the use of mobile device management (MDM) software. Users may object to installing MDMs on their personal devices due to privacy concerns, resulting in lower overall adoption and reduced insight into their device security.
Control or Restrict Device Access to Applications
Whether or not you have an MDM solution, you should be able to block devices from accessing your applications based on:
- OS, browser and plugin versions and how long they’ve been out of date
- Status of enabled security features (configured or disabled)
- Full disk encryption
- Mobile device biometrics (Face ID/Touch ID) + Screen lock
- Tampered (jailbroken, rooted or failed Google’s SafetyNet)
Notify Users to Update Risky Devices
Duo multi-factor authentication can detect older software versions, then notify users when their device software is out of date. This can relieve the burden on your help desk support team and prompt users to update the software on their own devices at login.
A self-service portal also allows them to easily manage their own authentication devices without submitting a help desk ticket. Now you can enforce controls and policies to keep risky endpoints from accessing your applications.
Get Detailed Device Logs & Reports
Duo enforces compliance by offering device visibility and detailed reports on user behavior and risky devices – all in one dashboard while integrating with existing security information and event management (SIEM) software. Many compliance regulations and auditors require user activity and device security logs and reports. And it integrates nicely with any existing SIEM (security information and event management) software
“Zero trust demands that security teams retain visibility and control across their entire digital business ecosystem, regardless of location, device, user population or hosting model.”
—Forrester Zero Trust eXtended (ZTX)
At the end of the day, users want to login into their systems quickly with fast access. With Duo you can designate certain devices and networks as trusted and let your users log in without going through the two-factor process each time, giving them faster and more secure access.
Keep Remembered Devices
Duo helps you establish user trust to computers after the initial authentication, and let users log into your applications without completing two-factor authentication each time.
Establish Trusted Networks
Duo helps you establish trusted networks by flagging trusted networks with listed IP addresses or CIDR blocks, so you can develop policies to require strong authentication for certain web-based access to company services.
DUO’S MULTI-FACTOR AUTHENTICATION
Duo provides the foundation for a zero-trust security model by providing user and device trust before granting access to applications – ensuring secure access for any user or device connecting to any application, from anywhere.
Each time a user logs into an application, the trust of their identity and security of their device is checked by Duo, before granting access to only the applications they need. Duo gives you adaptive policies and controls to make access decisions based on user, device and application risk. Paired with deep insights into your users’ devices, Users get a consistent login experience with Duo’s single sign-on that delivers centralized access to both on-premises and cloud applications.
Duo’s Approach to Zero-Trust Security Is Different in Four Ways:
- Speed-to-Security: Duo delivers all the zero-trust building blocks under one solution that is extremely fast and easy to deploy to users. Some clients can be running in a matter of minutes depending on their specific use case.
- Ease of Use: Users can self-enroll as simple as downloading an app from the app store and signing in. Maintenance and policy controls are easy for admins to control and gain clear visibility.
- Integrates With All Applications: Our product is designed to be agnostic and work with legacy systems so no matter what IT and security vendors you use, you can still secure access to all work applications, for all users, from anywhere.
- Lower Total Cost of Ownership (TCO): Because Duo is easy to implement and does not require replacing systems, far fewer resources in time and cost are required to get up and running and begin the journey to a zero-trust security model.
In conclusion, we have covered the first principle to implementing a zero-trust framework; how to establish user trust. Gaining device visibility is the second principle to adopting zero-trust and establishing device trust is the third principle. In next week’s blog we will review the fourth principle to achieving zero trust: how to enforce adaptive policies.
Zero Trust Evaluation Guide: Securing the Modern Workforce
We’ve released a new guide to help you understand the different criteria for a zero-trust security model. Secure your workforce - both users and devices, as they access your applications.Download Guide