Search
Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
SECURE NETWORK ACCESS

Leo TaddeoMarch 25, 2022

The CISA Zero Trust Maturity Model Series – Part 2: Devices

If people are the new perimeter, then the devices they use are more important than ever.

Share

We recently kicked off a blog series exploring the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model, which underpins the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.

CISA’s maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data) with each pillar having three stages of maturity: traditional, advanced and optimal. As covered in the previous blog and in our Zero Trust Thirty podcasts (most recently Zero Trust for Critical Infrastructure), identity is the key first step in any Zero Trust security journey. Tied closely is the second pillar, Device, which is covered here.

Scaling security to meet device overload

In the Device pillar, optimal maturity translates to constant security monitoring and device validation, as well as data access that is wholly dependent on real-time risk analytics:

  1. Compliance monitoring: Constant monitoring and validation of device security posture
  2. Data access: Considers devices’ real-time risk analytics
  3. Asset management: Asset and vulnerability management integration across all agency environments, including cloud and remote
  4. Visibility and analytics capability: Continuous device posture assessments
  5. Automation and orchestration capability: Device capacity and deployment uses continuous integration and continuous deployment (CI/CD) principles with dynamic scaling
  6. Governance capability: Devices permit data access and use without resident plain-text copies, reducing asset supply chain risks

If this feels like another way of saying, “who, what, why, where and when,” it is. CISA has outlined a core set of principles that enables dynamic interaction with the device so agencies can understand the state of security at connection and throughout each interaction. This allows them to adjust access privileges dynamically and automatically, ensuring that the user and the device only gain access to what they need and are authorized for at any given time.

Traditional solutions only go so far

With Zero Trust access, a user’s device is not granted access to the network by default. It must first be authenticated, and then given limited access to authenticated resources once dynamic policies and entitlements are provisioned. Then, importantly, the device must be continuously monitored—based on the user’s role, device security posture, location, time and date, and a range of other conditional requirements—to determine if access privileges should be adjusted or revoked entirely.

These dynamic, meta-driven surgical entitlements are conditional and based on context and risk tolerance defined by the enterprise. This is infinitely more secure than relying solely on identity and a static username/password combination (with no device element at all). A “log-in and done” method essentially gives a cyberattacker the keys to the kingdom if they can gain access through a device.

While traditional tools like Network Access Controls (NACs) can provide device discovery and perform configuration checks, they are not capable of creating and enforcing a dynamic policy model to control network access. For example, many NACs can query a device to determine whether it has the required anti-virus solution required by policy. This information is then used to determine whether to allow the device to connect. Unfortunately, this does not meet the #1 requirement to reach optimal maturity in the Device pillar. Specifically, NACs are not presently capable of continuously monitoring a device and use a variety of attributes to terminate or adjust access.

Dynamic and context-aware

What’s needed is a dynamic and context-aware approach such as that offered by Appgate SDP, an industry-leading Zero Trust Access solution used by federal government agencies as they modernize their IT environments, move to the cloud and work to comply with new cybersecurity requirements.

Appgate SDP is 100% identity-centric and seamlessly integrates with organizations’ existing identity management and endpoint tools, tying users and devices together through several unique capabilities:

  • Off-the-shelf device posture checking: For devices without enterprise endpoint protection, a deep posture check is critical to limiting risky devices.
  • Endpoint detection enhancement: If a device becomes risky after the initial access request, Appgate SDP monitors the ongoing device risk in near real-time and removes entitlements if risk goes up after initial access is granted.
  • Lateral movement reduction: Appgate SDP’s micro-segmentation capabilities allow organizations to match each identity (user + device) with their entitlements so that access is granted only to permitted resources. Everything else is invisible, preventing lateral movement on the network even if any attacker were to gain entry via a compromised device.
  • Elimination of the “hammer and nail” approach: Traditional, siloed endpoint protection solutions risk impacting workforce productivity by forcing admins to take risky devices offline while conducting further investigation, rendering users unable to do meaningful work. Appgate SDP provides an alternative approach by allowing organizations to dynamically adjust entitlements to reduce exposure to critical resources. This lets users continue to work, with limited access, while greatly reducing risk.

Advancing on your Zero Trust security journey can require myriad cybersecurity tools. An integrated Zero Trust access solution like Appgate SDP can serve as the glue binding these tools together. As the device landscape grows more complex and crowded, this approach can help you accelerate Zero Trust maturity while keeping user productivity intact.

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.

Additional Zero Trust security resources:

UPCOMING WEBINAR: Zero Trust is Not One Size Fits All
Blog: The CISA Zero Trust Maturity Model Series — Part 1: Start with Identity
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Webinar: Zero Trust for critical infrastructure

Receive News and Updates From Appgate