This post is the fourth in a series examining how Zscaler supports the move to zero trust as defined by CISA.
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model defines a device as “any hardware asset that can connect to a network, including internet of things (IoT) devices, mobile phones, laptops, servers, and others.” In a traditional security environment, the device is not always considered when granting access, identity is the main determinant as to what can be accessed. Where there is consideration of a device it is usually a blanket block – no non-agency devices allowed access. This complicates the ability of users to Bring their Own Device (BYOD), requiring rigorous checks of personal devices before they can be used for agency work. It also adds to the burden on IT to inventory and secure all of these devices – agency-owned and otherwise.
A Zero Trust architecture moves data access from a model of no consideration of the device accessing data to using real-time risk analytics to grant access every time a connection is requested. Securing every device and endpoint is a foundational element of Zero Trust, but it requires looking at the concept of “securing” a bit differently. In Zero Trust, making a device secure does not mean one-time vetting and software downloading. Instead, it is a constant review of the device and its activity.
Even if the device is attached to a trusted user, it could have malicious code on it, unbeknownst to that trusted user, and cause an incident. The user and the device have to be monitored constantly for anomalous behavior – connections being made that have not been made before, opening or closing certain applications. To do this, agencies need to establish and enforce a baseline of device security protections and have visibility into the devices themselves to ensure compliance. Focusing on the endpoint allows for device compliance and integrity to be the driver of access control decisions.
Zscaler performs several device validation checks today and is easily integrated with Endpoint Detection and Response (EDR) solutions and device management platforms to assess device risk.
Creating a device fingerprint
In order for a device to gain access via Zscaler, we collect a “fingerprint” for that device upon enrollment. This can include hardware information like a serial number on a battery or hard drive. This step ensures that a device cannot be cloned. This fingerprint is a critical part of the device authentication step in the CISA model, looking beyond certificates and confirming the device itself.
Criticality of cloud-based
For the granularity required by Zero Trust, a cloud-based solution is the only realistic method of securing devices. Devices can travel anywhere in the world and an on-premise solution cannot follow that device to do the continuous checks needed to ensure the baseline remains consistent. Because the threat landscape is constantly changing, software updates need to be pushed to the device quickly and constantly monitored. When a Zscaler user connects, we validate not only the device but the Zscaler software that is being used to ensure they are using the most up to date version. Updates are immediately pushed before the user can connect.
A key difference between traditional security and Zero Trust is the continual monitoring. In a Zero Trust environment the agency constantly monitors and validates the device security and posture. This includes user behavior. Leveraging partners like Crowdstrike and Forescout, Zscaler user and device behavior is monitored to ensure continual compliance with baselines and with agency policy. The information collected by Zscaler is continually pushed to EDR, SIEM, and SOAR solutions for any needed action to lock down devices and users behaving outside of policy or their baseline.
Tying access to the device and the user creates a much stronger confidence that the right person is getting access to the right information in the appropriate way. Zscaler’s solution ensures that devices can be continually vetted upon each connection and remain under watch while accessing data, enabling a ZTA that applies risk scores to how and when access is granted based on real-time threat and situational data.