A Higher Maturity Level for Your Zero Trust Strategy

All hell is breaking loose outside. Almost daily, there are reports by authorities, companies and institutions about having been targeted by a cyberattack, sometimes with drastic consequences for business operations.

External regulation bodies, such as IT-Grundschutz, DORA, ISO/IEC 27001, TISAX® or HIPAA, as well as internal company requirements for IT security, try to put the proverbial devil in his place, creating more secure digital workspaces.

Zero Trust as a New Security Paradigm

Already for some time now, the concept of Zero Trust has been enthroned like a protective shield over these IT security requirements.

Introduced by cyber security expert John Kindervag in 2010, the term “zero trust” currently encompasses a “collection of concepts designed to minimize uncertainty in enforcing accurate, least privilege per-request decisions […] in information systems and services”.1, page 1.

Basically, it is all about adhering to the premise “Never Trust, Always Verify”: Unlike legacy perimeter-based security, “Zero Trust assumes that the system will be breached and designs security as if there is no perimeter.”2

“Zero Trust ensures verification and authorization for every device, every application and every user gaining access to every resource. This is a complete departure from the old model, where implicit trust was the norm and networks were protected by firewalls, VPNs and web gateways.”3

Zero Trust Maturity Model (ZTMM)

In August 2021, the American Cybersecurity and Infrastructure Security Agency (CISA) published its Zero Trust Maturity Model as a guide to the step-by-step implementation of a Zero Trust Architecture (ZTA). Its second version is in force since April 2023 and can be understood as “one of many paths to support the transition to zero trust.”.4, page 7

“The ZTMM represents a gradient of implementation across five distinct pillars, in which minor advancements can be made over time toward optimization. The pillars, depicted in Figure 1, include Identity, Devices, Networks, Applications and Workloads, and Data. Each pillar includes general details regarding the following cross-cutting capabilities: Visibility and Analytics, Automation and Orchestration, and Governance.”5, page 6

The Path to More Zero Trust with deviceTRUST

With its continuous validation and control process, deviceTRUST makes an important contribution to the implementation of a Zero Trust strategy in the following areas: identity & devices, applications & workloads, as well as cross-cutting capabilities (visibility & analytics, automation & orchestration, and governance). Thus, deviceTRUST helps to achieve a higher level of maturity with regard to Zero Trust.

The Context as a Factor

deviceTRUST’s context properties are at the heart of it all. By determining and providing this technical metadata, deviceTRUST extends conventional MFA methods, creating a digital fingerprint for access control. In this way, a transparent security layer can be used to ensure that access is only granted if the context meets the relevant security and compliance requirements.

Two points in particular are worth mentioning in this context:

On the one hand, the wealth of information that deviceTRUST can determine and use. deviceTRUST itself offers a variety of context properties and is also able to integrate external information into the product via APIs. In this way, a “compliance check” can be ideally adapted to individual requirements and is therefore extremely difficult for attackers to evade.

And on the other hand, the fact that deviceTRUST determines all context information about the session runtime, and not only during a login or reconnection process. Thus, the continuous validation and control of deviceTRUST fulfills the Zero Trust premise “Never Trust, Always Verify” in an exemplary manner.

Conditional Workspace Access & Conditional Application Access

By means of this digital, contextual-based fingerprint of users and devices, access to digital workspaces, applications and resources can be made more secure.

According to the ZTMM classification, deviceTRUST allows customers to be guided into the Advanced Mode on their Zero Trust journey: “[…] automates application access decisions with expanded contextual information and enforced expiration conditions that adhere to least privilege principles.”6, page 23

Instead of merely pointing out to the employees that they are not allowed to use a certain application because the context does not comply with the regulatory requirements, deviceTRUST can be used to technically prevent the employee from using the application, for example, if users change their WIFI connection during a session.

It should be emphasized at this point that deviceTRUST does not bring any unnecessary complexity into the equation but uses technologies for access control that are already in use by the customer.

Conditional Configuration & Cross-Cutting Capabilities

The architecture of deviceTRUST’s software allows data to be imported into the product via APIs, as well as the sending of the context properties to external systems.

With this possibility of delivering data to existing logging environments, deviceTRUST supports you in the area of “Visibility and Analytics” to reach the optimal status with regard to Zero Trust maturity: “[…] maintains comprehensive visibility enterprise-wide via centralized dynamic monitoring and advanced analysis of logs and events.”7, page 29

In the “Automation and Orchestration” area, deviceTRUST also helps companies to get into the “Advanced” area: “[…] automates orchestration and response activities enterprise-wide, leveraging contextual information from multiple sources to inform decisions.”8, page 29

Maturity level in the area of “Governance” corresponds to the advanced or optimal level:

– Advanced: “[…] implements tiered, tailored policies enterprisewide and leverages automation where possible to support enforcement. Access policy decisions incorporate contextual information from multiple sources.”
– Optimal: “[…] implements and fully automates enterprise-wide policies that enable tailored local controls with continuous enforcement and dynamic updates.”9, page 29

Zero Trust Also for Legacy Systems

As legacy authentication protocols, tools, applications, and other resources are often difficult to integrate into a Zero Trust system, there is a drive to accelerate the replacement of legacy systems.10

However, this movement fails to recognize that not all companies and institutions are allowed or want to obtain all their applications and resources from the cloud. In other words: legacy systems will continue to exist in certain industries or in certain scenarios. Examples of this are locally installed Win32 applications or custom programmed software that cannot be easily consumed from the cloud.

deviceTRUST’s “Contextual Security” follows the customer’s requirements and is suitable for local, remote and SaaS scenarios. Companies and institutions that choose a hybrid approach can also apply Zero Trust principles to their non-cloud-based services thanks to deviceTRUST.

Define your Requirements – deviceTRUST Does the Rest.

The pivotal point of a Zero Trust strategy is the question of whether there are internal or external requirements whose compliance helps increase security.

If you can put your reality into words and know what you want, deviceTRUST can help you to get to the top of your Zero Trust journey.

The following link will take you to some success stories of companies that have successfully used deviceTRUST to a higher Zero Trust maturity level:

About the Author:

Marc Stieber

Sales Manager EMEA

Sales Manager EMEA with many years of experience in the IT industry. His passion for marketing and yoga inspires him to find innovative solutions in his work to support and delight customers.