Device-Level Signals: Framework of Zero Trust Security

The U.S. government is tightening the reins, requiring agencies to comply with Zero Trust architecture (ZTA) by the end of September 2024. This strategy is targeted toward thwarting increasingly sophisticated and persistent cyberattacks. Zero Trust protocols are essential to safeguarding federal, medical, financial, and other high-risk industries. In the words of the U.S. government,

“To deliver on these missions effectively, our nation must make intelligent and vigorous use of modern technology and security practices, while avoiding disruption by malicious cyber campaigns” (M-22-09 Federal Zero Trust Strategy).

It’s up to industry-leading cybersecurity solutions to support companies’ Zero Trust security objectives.

The foundation of the ZTA is that no actor, system, network, or service outside or within the security perimeter will be trusted. Therefore, every single signal is assessed for risks and must be continually verified for intent and integrity.

Device-level signals provide the data required to continually identify and monitor the security posture of employee devices before granting the user access to internal resources. Organizations have their hands full as they implement the framework they need to fulfill Zero Trust policies, including the five pillars of Zero Trust.

The Five Pillars of Zero Trust

To make Zero Trust aspirations attainable, the U.S. government has outlined five pillars that form the foundations of ZTA:

Identity refers to an attribute or set of attributes that are used to identify an entity. All employees are restricted to using only enterprise-managed, phishing-resistant identities for everything work-related.

The organization must maintain a complete inventory of all devices they operate and authorize for internal purposes. This setup provides the foundation for detecting, monitoring, and preventing cyber incidents.

The organization will encrypt all DNS requests and HTTP traffic within its environment. Such encryption practices make data undecipherable to third parties.

Applications and Workloads
All applications are treated as “untrusted” and must be subjected to rigorous empirical testing including external vulnerability reports. This constant monitoring enables security solutions to detect risks instantaneously.

All agencies pursuing Zero Trust security must aspire to implement measures that further protect their data through data categorization. This structure helps security platforms account for and monitor all company data.

About Posture Data

“Security posture” refers to how an organization is set up to defend against, detect, and respond to cyber threats and attacks. “Posture data signals” are the indicators used to analyze the overall security posture of an agency’s systems, networks, and applications. These signals provide insights that help identify potential vulnerabilities and threats.

For example, posture data signals might include information on the device type, the version of the device’s operating system, the applications being used, and more. The agency’s security policies and procedures help define what signals are in an acceptable range and which could indicate risks and cyber-attacks.

Ultimately, posture data signals are a critical element for cyber security and support the pillars of ZTA.

Authorization versus authentication

“Authorization” and “authentication” are often used interchangeably while they, in fact, refer to two separate, although related, aspects of data security.

Authentication refers to the verification of a user or system entity. WinMagic’s MagicEndpoint passwordless authentication solution verifies both the user and device. In the past, these entities were verified using login credentials like a username and password. For Zero Trust security, MagicEndpoint authenticates the user to the device’s operating system, rather than to individual applications. Ping Identity then extends this authentication throughout the enterprise environment.

While authentication is essential to verify the user, authorization is the process of determining if an authenticated user or system has permission to access specific services or internal data. Authorization is guided by security policies or controls that define if specific users or systems can perform certain actions such as read, write, or delete data. Posture-data signals are key for Identity Access Management (IAM) solutions to generate truly intelligent decisions regarding user authorization.

Intelligent decision making

While online applications and services should treat users as “untrusted,” users still need to access them safely and securely. Ping Identity and WinMagic have stepped forward to provide a solution that offers an intense examination of all applications and services accessed via the network.

Device integrity
In this partnership, MagicEndpoint delivers posture data and Ping services carefully consider them in the context of the organization’s policies. For example, MagicEndpoint identifies the endpoint device’s type — Windows or Mac, Phone or tablet, etc. — version of its operating system, the network connection, and more. Ping then analyzes these device-level risk signals to identify risks and non-compliant configurations. This intelligent decision-making provides a robust layer of protection that can restrict suspicious activity, blocking hackers before they get a foothold on your data.

User intent
MagicEndpoint also collects data about the user and the user’s intent. With this information, Ping makes an informed decision on whether or not to authenticate the user. Once the user has been authenticated to the endpoint, they’re further authorized to access certain applications and services, depending on the company policies in place and Ping’s assessment of the user’s security posture.

Security policies

Organizations can configure their own security policies through the Ping platform. For example, one policy may block access to certain apps and services if the user is accessing them without up-to-date antivirus protection. To enforce this policy, Ping uses MagicEndpoint to investigate the device’s antivirus software. Then, it’s up to Ping to make an intelligent decision of whether or not to authenticate the user and authorize them to access requested resources.

The reliable endpoint

The endpoint is one of the best sources for secure posture signals. While IP addresses, network connections, and user credentials can be faked, the one-of-a-kind endpoint is reliable and irreplicable.

MagicEndpoint uses public key cryptography to verify the endpoint’s Trusted Platform Module (TPM). The TPM houses a secret key that’s only on the endpoint and can’t be replicated. After verifying the endpoint, MagicEndpoint collects information on the endpoint’s operating system, antivirus software, and more. This data, combined with Ping’s ability to analyze the client’s location, provide dependable information to help verify the user.

Types of device-level signals

Below are some examples of security posture data that modern authentication solutions should use to make intelligent decisions when authenticating and authorizing a user:

  • Device type. MagicEndpoint identifies the type of endpoint device — Windows or Mac, Phone or tablet, etc. Ping can then use this information to ensure the device is consistent with both the user’s history and the organization’s device types.
  • Operating system version. MagicEndpoint identifies the operating system’s version. Ping can use this data to help confirm that the user is accessing apps and services from an authorized device.
  • MagicEndpoint identifies that the endpoint has antivirus software and its make and version. Ping can confirm that the organization uses the same antivirus software on all similar devices.
  • Type of authentication. MagicEndpoint recognizes the mode of authentication used to log into the endpoint. This user may have signed on with a USB key, Personal Identity Verification (PIV) card, a password, Bluetooth, Multi-Factor Authentication (MFA), etc. Ping can use these particulars to further verify the user and device.
  • Hardware details. MagicEndpoint can identify the hardware: the make, model, and where it was manufactured. This feature would be particularly useful in supporting the CHIPS and Science Act, which aims to regulate the manufacturing of semiconductors to the USA to address supply chain vulnerabilities. Theoretically, Ping would analyze if the semiconductor was manufactured outside of the USA and reject authentication requests or limit user authorization.

A More Secure Future

According to Security Magazine, cyber attacks increased by 38% in 2022. With so much of the world transitioning to remote work, hackers have their eyes set on collaboration tools with a significant increase in attacks on healthcare organizations.

Step by step, Zero Trust security is becoming more attainable to organizations of all sizes. Together, WinMagic and Ping Identity have the potential to deliver one solution that achieves optimal security by complying with an organization’s IAM policies. MagicEndpoint is in a prime position to collect security posture data from the endpoint and Ping is well-equipped to make intelligent decisions regarding user authentication and authorization.

For more information about the partnership between Ping Identity and WinMagic, visit the Integration Directory.

Previous Post
Carahsoft and WinMagic Partner to Provide Authentication and Encryption Solutions to the Public Sector
Next Post
WinMagic now integrates with Ping Identity’s PingOne DaVinci to provide authentication and encryption solutions to federal, state and commercial enterprises