Letting The Right One In: A Preamble to Device Trust

"I’m sorry, do I know you?" A typical query that people may ask when confronted by an unknown person who walks up abruptly and starts asking them questions. Oddly though, this sort of response does not happen in many network environments.

When someone plugs in their laptop from home and attaches it to the network, more often than not they can get an IP address from the DHCP server. A troublesome prospect. 

There was a time where a security practitioner might wander through the office seeking out rogue access points or mobile drives attached to computers. Some security practitioners would even go so far as to pour epoxy into USB ports on laptops and desktops in a bid to avoid data exfiltration. 

While some would hunt for rogue access points, oddly enough there was rarely a story shared where someone found a personal laptop attached to the network via visual inspection. Even if there were many of these stories it would not be something that would scale by any measure. 

Rogue wifi access points were very simple to identify. They would stand out like a sore thumb.

As a result this was a story that we would hear shared a lot. 

But if someone brought in a personal device such as a Thinkpad or MacBook it would rarely be given a second glance. This sort of visual inspection would offer little comfort for securing the environment. Device trust is paramount in a corporate environment. More so now with so many knowledge workers being distributed at their homes around the world. There is a real necessity to be able to verify the devices that are attaching to your networks and accessing your intellectual property.

Being able to manage devices in a non-intrusive fashion is of critical importance when working to ensure your fiduciary responsibilities to protect your company. Not all organizations were able to get access to all of the hardware that they needed to be able to provide their staff with the ability to work from home.

Having the ability to have clear visibility of patch levels and activity of laptops, desktops and mobile devices is a great step towards understanding the threat surface and ensuring compliance with corporate policies.

When we were small children we were all too aware of the sign at the amusement park that said “you must be this tall to ride.” We would stand on our tip toes in an attempt to make the grade. This analogy does not hold up when attempting to secure a company. Device trust is not something that we need to cross our fingers and hope that we’ll make the line when we have solutions that can give us clear guidance. 

Even in times where the “new normal” is simply a day that ends in “y” we still have staff, contractors and temporary staff that need access. By deploying solutions that provide for device trust we can have granular access controls which provide the right level of security for your organization which go a long way to establishing a zero trust framework for your workforce.

Previous
Previous

The Real Threat of Election Security Online

Next
Next

The Password-less Journey Roadmap for Federal Government