With the features of a trustworthy device in mind, now you can dive into how companies can actually verify devices from the point of initial connection to the establishment of trust.
1. Initial Device Connections
The verification process begins when a device connects to the network or the service. This connection is often the first interaction between the device and the authentication system. You can protect apps by only allowing logins from trusted devices.
During the connection process, the access management engine checks the device for red flags, such as outdated software. You can also create different verification rules for company-managed devices versus non-managed devices. For BYOD, a more stringent set of security policies can be applied.
2. Device Identification
The next step is to assign a specific identity to the device in order to properly verify it in the future. Devices are uniquely identified through various attributes, such as:
- Device name: Users can create a unique device name within their system settings to help the verification process.
- Digital certificate: Your company can issue an internal device certificate in order to verify it in the future.
3. Identity Authentication
- Digital certificates
- Usernames and passwords
- Multi-factor-authentication
- Biometric authentication
- Token-based authentication
4. Device Profiling
Device profiling is the process of collecting information about the device, including its operating system, hardware specifications, and software versions. Profiling helps in assessing the device's characteristics to make sure it can safely access the company network or platforms.
There are several ways to profile devices, including using a built-in program, a web app, a mobile app, or a native app.
5. Compliance Verification
In this step, the device is checked for compliance with internal security policies and configurations. A set of centrally-enforced policy decisions can determine who can access what based on identity attributes, roles, and device profile. Any deviations from the defined standards may trigger additional security measures. For instance, you could enact a policy that allows SFDC access via a work-issued device but not a BYOD device.
In addition to verifying compliance during the initial login, you can also incorporate a timer to verify those standards again during a session. So if the user is logged on for an extended period of time, you can verify again even if they haven't exited or logged out. If non-compliance occurs, you can set different actions based on the issue, such as sending an alert, removing a managed app, or wiping the device.
6. Security Posture Assessment
The security posture of the device should also be assessed to ensure it adheres to current best practices. This evaluation covers factors like firewalls, disk encryption, antivirus software, public file sharing, and system updates.
Keeping each of these areas secure helps protect against data leaks, ransomware, phishing, and other vulnerabilities. It reviews the device's operating system and identifies when a breach may have occurred. Security posture assessments are especially beneficial when you have employees who work from personal devices.
7. Continuous Monitoring
Device trust is not a one-time event but an ongoing process. Continuous monitoring is essential to identify any changes in the device's status or behavior. The first check occurs during the initial login process.
After that, you can set the verification process at specific time intervals. At a minimum, check devices at least once every 24 hours. For the strictest verification process, you can increase the timing as frequently as every two hours or even every few minutes.
8. Trust Establishment
Once the device has successfully passed through all the previous steps and met the defined criteria, trust is established. That means the device is known to the organization and hasn't been compromised with any malicious software. Additionally, the user is identified as an authorized individual based on customized policies.
Once all of these conditions are met (along with any others set by the company), the device is considered trustworthy and is granted access to the network or service.
9. Access Control
With trust established, the device can now access the resources and data it was intended for. The company can set allowed and blocked areas for specific sets of individuals using access control mechanisms to ensure that the device only reaches authorized areas. This feature can be utilized with Ping Identity's adaptive access control, part of our authorization offering.
