A Higher Maturity Level for Your Zero Trust Strategy
Marc Stieber
Sales Manager EMEA | Contextual Security - Zero Trust requires deviceTRUST
All hell is breaking loose outside. Almost daily, there are reports by authorities, companies, and institutions about having been targeted by a cyberattack, sometimes with drastic consequences for business operations.
External regulation bodies, such as DORA, ISO/IEC 27001, TISAX?, HIPAA, or IT-Grundschutz, as well as internal company requirements for IT security, try to put the proverbial devil in his place and aim for creating more secure digital workspaces.
Zero Trust as the New Security Paradigm
Already for some time now, the concept of Zero Trust has been enthroned like a protective shield over these IT security requirements.
Introduced by cyber security expert John Kindervag in 2010, the term "zero trust" currently encompasses a "collection of concepts designed to minimize uncertainty in enforcing accurate, least privilege per-request decisions […] in information systems and services."(1)
It is all about adhering to the premise "Never Trust, Always Verify": Unlike legacy perimeter-based security, "Zero Trust assumes that the system will be breached and designs security as if there is no perimeter."(2)
"Zero Trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This is a complete departure from the old model, where implicit trust was the norm and networks were protected by firewalls, VPNs and web gateways."(3)
Zero Trust Maturity Model (ZTMM)
In August 2021, the American Cybersecurity and Infrastructure Security Agency (CISA) published its Zero Trust Maturity Model as a guide to the step-by-step implementation of a Zero Trust Architecture (ZTA). Its second version has been in force since April 2023 and can be understood as "one of many paths to support the transition to zero trust."(4)
"The ZTMM represents a gradient of implementation across five distinct pillars, in which minor advancements can be made over time toward optimization. The pillars include Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar includes general details regarding the following cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance."(5)
The Path to more Zero Trust with deviceTRUST
With its continuous validation and control process, deviceTRUST makes an important contribution to the implementation of a Zero Trust strategy in the following areas: identity & devices, applications & workloads, as well as cross-cutting capabilities (visibility & analytics, automation & orchestration, and governance). Thus, deviceTRUST helps to achieve a higher level of maturity concerning Zero Trust.
Context as a Factor
deviceTRUST’s context properties are at the heart of it all. By determining and providing this technical metadata, deviceTRUST extends conventional MFA methods, creating a digital fingerprint for access control. In this way, a transparent security layer can be used to ensure that access is only granted if the context meets the relevant security and compliance requirements.
Two points in particular are worth mentioning in this regard:
On the one hand, the wealth of information that deviceTRUST can determine and use. deviceTRUST itself offers a variety of context properties and is also able to integrate external information into the product via APIs. In this way, a "compliance check" can be ideally adapted to individual requirements and is therefore extremely difficult for attackers to evade.
On the other hand, the fact that deviceTRUST determines all context information about the session runtime, and not only during a login or reconnection process. Thus, the continuous validation and control of deviceTRUST fulfills the Zero Trust premise "Never Trust, Always Verify" in an exemplary manner.
Conditional Workspace Access & Conditional Application Access
Using this digital, contextual-based fingerprint of devices and users, access to digital workspaces, applications, and resources can be made more secure.
According to the ZTMM classification, deviceTRUST allows customers to be guided into the Advanced Mode on their Zero Trust journey: "[…] automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles."(6)
Instead of merely pointing out to the employees that they are not allowed to use a certain application because the context does not comply with the regulatory requirements, deviceTRUST can be used to technically prevent the employee from using the application, for example, if users change their WIFI connection during a session.
It should be emphasized at this point that deviceTRUST does not bring any unnecessary complexity into the equation but uses technologies for access control that are already in use by the customer.
领英推荐
Conditional Configuration & Cross-Cutting Capabilities
The architecture of deviceTRUST’s software allows data to be imported into the product via APIs, as well as the sending of the context properties to external systems.
With this possibility of delivering data to existing logging environments, deviceTRUST supports you in the area of "Visibility and Analytics" to reach the optimal status with regard to Zero Trust maturity: "[…] maintains comprehensive visibility enterprise-wide via centralized dynamic monitoring and advanced analysis of logs and events."(7)
In the "Automation and Orchestration" area, deviceTRUST also helps companies to get into the "Advanced" area: "[…] automates orchestration and response activities enterprise-wide, leveraging contextual information from multiple sources to inform decisions."(8)
Maturity level in the area of "Governance" corresponds to the advanced or optimal level:
Zero Trust also for Legacy Systems
As legacy authentication protocols, tools, applications, and other resources are often difficult to integrate into a Zero Trust system, there is a drive to accelerate the replacement of legacy systems. (10)
However, this movement fails to recognize that not all companies and institutions are allowed or want to obtain all their applications and resources from the cloud. In other words: legacy systems will continue to exist in certain industries or in certain scenarios. Examples of this are locally installed Win32 applications or custom-programmed software that cannot be easily consumed from the cloud.
deviceTRUST’s "Contextual Security" follows the customer’s requirements and is suitable for local, remote, and SaaS scenarios. Companies and institutions that choose a hybrid approach can also apply Zero Trust principles to their non-cloud-based services thanks to deviceTRUST.
Define your Requirements – deviceTRUST does the Rest
The pivotal point of a Zero Trust strategy is the question of whether there are internal or external requirements whose compliance helps increase security.
If you can put your reality into words and know what you want, deviceTRUST can help you get to the top of your Zero Trust journey.
The following link will take you to some success stories of companies that have successfully used deviceTRUST to achieve a higher Zero Trust maturity level: https://devicetrust.com/success-stories/
Sources: