What is Device Posture’s Role in Zero Trust?
by Paul Andre de Vera

What is Device Posture’s Role in Zero Trust?

What is Device Posture’s Role in Zero Trust?

While a lot of attention has focused on identity in Zero Trust Network Architectures (ZTNA), not as much has been placed on device posture’s role in Zero Trust. The state of a device’s security features provides critical context for any least-privileged authorization decision. Performing device posture checks must be part of every access request — especially when more devices accessing protected resources are owned by users, contractors, and other third parties.

As we roll out our Twingate Device Security capabilities, it’s worth looking at why device posture checks have become so important as well as device posture’s role in Zero Trust solutions.

Device ecosystems: from monoculture to security diversity

Traditional network access control techniques evolved at a time when workforces and the technologies they used were more centralized and homogenous. All users were employees. The few that did not use managed desktops — executives, salespeople, field engineers — carried managed laptops while traveling. Everyone accessed resources on central networks protected by secure perimeter technologies.

Things couldn’t be more different today. A company’s user base is a dynamic mix of employees, freelancers, contractors, third-party companies, and guests. Some may use company-owned devices A growing number, however, use personal devices or devices owned by outside firms. They connect to a nebulous company network that extends beyond the company LAN into the cloud.

This distributed network architecture makes traditional approaches to secure access less and less effective. Long past are the days of one user, one device. Now, users switch from device to device throughout the day as their context changes. They may even access company resources through several managed and personal devices at the same time. As administrators’ control over these devices becomes more tenuous, device security is a growing concern.

Modern threats from user devices

In this environment, devices have become significant vectors for cyber-attacks. A survey released in early 2020 found that 68% of respondents had experienced security breaches that originated on user devices.

In the months following that survey, pandemic-driven shifts in the workplace only made user devices more enticing to cybercriminals. Users became responsible for security and maintenance thanks to work-from-home and bring-your-own-device policies. The chances of unpatched vulnerabilities increased. As a result, lightly managed or unmanaged endpoints created new opportunities for security breaches. A 2021 report found nearly 80% of organizations have seen an increase in compromised endpoints.

Establishing trust in devices versus identities

Much attention over the past few years has focused on finding better ways to verify user identity. As Twingate’s Chief Product Officer, Alex Marshall, discussed last year, device trust is more difficult to pin down:

“Unlike identity—which is inherently a portable concept and has spawned a wide range of technologies to evaluate identity across systems from LDAP to OAuth—device trust is a more fluid concept that requires a different approach.”

Identity is relatively static. Once authenticated, your CEO, network administrators, and other users can be trusted to access the resources for which they are authorized.

Device trust, on the other hand, is more dynamic and subject to interpretation. IP-based network access controls struggle because the context of device connections — does it access the office LAN or an airport hotspot — changes constantly. Likewise, device posture — security features such as firewall status or OS version — could change at any time to create vulnerabilities that hackers could exploit.

Secure perimeters and current device posture security

As user traffic expanded beyond the company’s campus network, administrators extended their traditional device management approaches to this new distributed network. Various tools let administrators control device posture — to a degree.

Mobile device management

Mobile device management (MDM) solutions give administrators the kind of control over remote devices that they previously had over desktop systems on the network. Originally developed to manage enterprise application access for the smartphones employees began bringing to work, MDM security solutions now support every kind of user device.

MDM software running on the user device isolates company applications and data from the user’s personal data. At the same time, the client app lets administrators remotely manage the device. Updates can be deployed without user intervention. When someone leaves the company, administrators can use the MDM client to erase company data remotely.

Endpoint detection and response

Endpoint detection and response (EDR) solutions provide the continuous security that is missing from VPN-based access control. Once the user is authenticated and access to the network has been granted, the VPN system’s role is complete. Should the device be compromised, hackers can go wherever they want on the network.

EDR clients constantly monitor and enforce antivirus, firewall, and other device posture policies. If the EDR client detects suspicious activity or if the device falls out of compliance, the client blocks access to company resources until the user or administrators address the security issue.

Certificates

Digital certificates give devices a verifiable “identity” that adds a layer of security. Especially when issued by independent Certificate Authorities, device certificates cannot be duplicated. Network access control systems use that implicit trust to ensure that only authenticated devices are connecting to protected networks.

Challenges of traditional device security approaches

Like other aspects of the secure perimeter framework, device management evolved in response to changing conditions. Companies adopted some systems to control access from smartphones, other systems for managed devices, and more systems for the growing population of unmanaged devices. Administrators now deal with a patchwork of platform-specific security applications that do not integrate easily with each other or with identity and access management systems.

Moreover, EDR and MDM solutions work best with company-owned devices. Forcing employees to install these apps on their personal devices creates privacy concerns. EDR and MDM may not be possible with freelancers, contractors, and other third parties.

Using device posture in Zero Trust Network Access

Organizations of every size are turning to Zero Trust Network Access to simplify access control and enhance resource security. ZTNA recognizes that, thanks to the internet and the cloud, secure perimeters no longer exist. Protecting networks is not enough. Zero Trust solutions depend on both identity and device posture to determine in real-time whether to authorize any user’s access.

Authentication context with device posture information

Zero Trust’s core principle of “assume breach” reflects the state of today’s threat landscape. An unpatched system or a malicious email is all hackers need to compromise a device and penetrate a network’s defenses. Given this reality, the only way to protect resources is to challenge every request.

Zero Trust requires explicit verification whenever a user tries to access a resource. User identity is a big part of that step. Device posture is just as important. Unlike VPN’s all-or-nothing approach, ZTNA solutions apply grades of access based on both identity and context. The device posture information that a ZTNA solution uses to evaluate that context can include:

  • OS version
  • Anti-malware version and status
  • Screen lock status
  • Firewall status
  • Storage encryption
  • Biometrics
  • Certificates

Base resource access on current device posture

A Zero Trust solution uses the current device posture at the time of the request to calculate a trust score. When using these scores, security policies can apply granular criteria based on the principle of least privilege. In some scenarios, accessing a low-risk resource may be acceptable despite a less-than-perfect device posture. Highly sensitive resources, on the other hand, would require perfect device posture checks to allow access.

Network administrators, for example, can access more systems when working on a managed desktop connected to the company LAN than when using their phones. Least-privileged access policies based on device posture make it easier to contain potential breaches while letting users access the resources they need.

Twingate unifies device posture in ZTNA

When Alex introduced Twingate’s device posture philosophy last year, he explained how our Zero Trust solution is uniquely positioned to make device posture a consistent and easily-managed part of your secure access policies.

“Our status as a neutral collection point for this information will not only allow Twingate to provide you with the most complete picture of your environment across any device in any location, but also allow you to create custom policies for your environment that take this dynamic information into account.”

Two elements of Twingate’s software solution, the Controller and the Client, contribute to device posture enforcement. Among its responsibilities, the Controller:

  • Stores and distributes access policies.
  • Delegates user authentication to your Identity Provider.
  • Facilitates connections between user devices and protected resources.

Twingate’s approach to decentralized network architectures pushes decision-making and access policy enforcement to the edge. Our Client app runs seamlessly in the background on all major platforms, performing functions that include:

  • Redirecting users to their device’s identity authority.
  • Deciding whether users are allowed to access the requested resource.
  • Locally resolving DNS lookups for protected resources.
  • Initiating connections via Twingate to authorized resources.
  • Establishing direct, encrypted tunnels between the device and the resource.
  • Transparently proxying TCP and UDP traffic to protected resources.
  • Device posture checks in Twingate connection flows

Twingate device posture checks

Your administrators can set device security policies for each resource Twingate protects. These policies can be based on Twingate’s native device posture checks and, soon, third-party trust methods such as an MDM or certificate.

Using Twingate’s native capabilities, your security administrators define Trusted Profiles for each device platform that may connect to a resource. The base policy level, the Minimum OS Requirement, lets you grant or deny access by the operating system. You can limit access to Windows devices only or block all Android smartphones.

Depending on the platform, the device posture information Twingate collects may include:

  • Antivirus status.
  • Biometric configuration.
  • Firewall status.
  • HD encryption status.
  • Screen lock status.

The Controller distributes each resource’s access policies only to the Clients authorized to access that resource. When a user tries to access a resource, the Client will compare the current device posture to the resource’s Trusted Profiles. Devices out of compliance are blocked. Since the Client is not connected to the resource when Twingate enforces device security policies, your attack surface shrinks.

You can find documents describing our device posture features in more detail on the Twingate support site.

Towards more granular device posture policies

In May, we described our device posture development roadmap, where we are and where we’re heading. Our Business and Enterprise customers now have access to the baseline capabilities we just discussed. Your admins can enforce native device posture checks by defining access policies for each resource.

Throughout the year, we will roll out enhanced device security features that include integrations with common EDR and MDM solutions as well as support for device certificates.

Enhance Zero Trust Network Access with Twingate Device Security

As network perimeters have faded away, so have definitions of devices, users, and resources. Devices became a particular source of frustration and security risk. BYOD policies and a changing workforce limit administrators’ control over what accesses protected resources. Technologies such as EDR and MDM address some of these challenges. At the same time, they create a fragmented architecture that is more difficult to manage.

With the move towards Zero Trust Network Access, device posture becomes even more important. ZTNA’s principle of least privilege requires more than identity verification. The device itself provides context that must affect users’ access to resources.

Twingate’s Zero Trust solution is ideally positioned to unify device posture checks within a single, easily-managed system. Our Client software collects device posture information and enforces access policies during the authorization process. As a result, compromised devices never gain access to a protected resource.

Whether using our native capabilities or integrating Twingate with your current MDM system, Twingate Device Security gives you a straightforward way to create and enforce granular least-privilege-access policies on every user device.

Contact Twingate to learn more about using device posture checks in the Zero Trust context.


Featured Articles