TL;DR: The NSA’s Zero Trust “Devices Pillar” Cybersecurity Information Sheet

Mack Wartenberger
Security Architect

The National Security Agency (NSA) has released a series of cybersecurity information sheets (CSIs) that offer prescriptive guidance for how agencies can pilot DoD-defined zero trust systems and integrate zero trust guidance into their enterprise strategy, design, and operations. These documents are dense and granular, so we are going to summarize the key points into a “TL;DR” to help you orient yourself around this guidance. Today, we are focusing on the “Advancing Zero Trust Maturity Throughout the Devices Pillar” CSI.

Skip right to the key areas:

Every system and every user relies on devices in some way, shape, or form. Effectively managing the security of those devices can add efficiency to a system. That said, device implementation must be handled carefully to avoid solutions that introduce too much complexity and are not agile enough to evolve over time. You will maximize security by adhering to core ZT principles like “never trust, always verify.” The NSA approach to securing devices focuses on identification, authentication, real-time inspection, and management. 

What is the Devices Pillar?

The device pillar in the DoD Zero Trust Strategy is foundational to ensuring that all devices in an environment are secure before being granted access to resources. What do we mean by secure you ask? 

According to the DoD Zero Trust Reference Architecture, securing the devices pillar means we can “identify, authenticate, inventory, authorize, isolate, secure, remediate, and control” all devices that are attempting to access our data, applications, assets, and services (DAAS). This integrated approach ensures that only compliant devices are permitted access, while non-compliant devices are either denied access or granted limited access based on a dynamic risk assessment. By adhering to a ZT approach to device management we never assume devices within our system are secure or trusted. We know bad guys can hide in our hardware and firmware, so we “assume breach” and design a comprehensive approach to device interaction that minimizes potential. Ensuring the required degree of access and visibility into all the devices in and around your system can be a daunting task and requires careful planning.

Use Caution When Pulling the Thread: Devices Throughout the ZT Pillars

When it comes to ZT device management, it’s crucial to recognize that the device pillar doesn't operate in isolation. Each capability within this pillar is deeply intertwined with other pillars of the DoD ZT Maturity Model, making purposeful planning essential. For instance, identity and authentication processes are anchored in the user pillar, ensuring that devices hosting users are properly authenticated and authorized based on specific attributes. This interaction extends to the network and environment, data, and visibility and analytics pillars, where device connection protocols, dynamic access decisions, and remote access authentication are meticulously governed.

Moreover, tools like endpoint detection and response (EDR) and extended detection and response (XDR) don’t just function within the device pillar; they integrate seamlessly with the visibility and analytics, and automation and orchestration pillars. These tools enable system administrators to continuously monitor device behavior, detect threats, and make informed, real-time adjustments to security policies, all good things. This interconnectedness also means that misconfigurations and inefficiencies in one area can have profound impacts on the overall security posture. The interconnectedness of these pillars underscores the need for deliberate, well-coordinated device management strategies. Without this level of integration, efforts in one area could unravel the security fabric woven throughout the entire ZT architecture.

Key Areas to Implement Zero Trust

Device Inventory

  • Overview: A comprehensive, real-time inventory of all devices is the cornerstone of any robust zero trust strategy. A well-managed inventory ensures that only authorized devices are granted access to your network, supporting a critical "deny-by-default" policy that minimizes risk. Maintaining this inventory requires more than just tracking devices — it demands robust policies governing the entire lifecycle of device management. This includes strict criteria for procurement, ensuring devices meet security requirements like trusted platform module (TPM) certificates, encryption (where applicable), and proper firmware configurations. Additionally, acceptance testing (using guidelines like NIST SP 800-161) should be used to audit supply chain integrity, with tools like software bill of materials (SBOM) and TPM platform certificates providing a secure chain of custody. Proper deprovisioning procedures must also be in place to securely erase sensitive data and reset devices before they are retired, ensuring they don’t become a security liability.

  • Getting There: Begin by establishing a manual inventory, but recognize that this is only a starting point. To achieve a true sense of your posture, advance to an automated, real-time inventory system. Enforce strict policies for adding or removing devices, ensuring that every device is registered and authenticated with a unique identifier. This level of rigor is essential to prevent unauthorized devices from slipping through the cracks.

  • Takeaway: A dynamic and continuously updated device inventory is not just beneficial—it’s essential for establishing and maintaining trust in your network. Without it, you risk exposing your organization to unnecessary vulnerabilities.

Device Detection and Compliance

  • Overview: Detecting all devices that connect to your network and ensuring they meet compliance standards is critical for maintaining security. Continuous monitoring for compliance with organizational policies is necessary to protect against evolving threats. The NSA specifically uses encryption settings for device communications. As an example: Obsolete encryption presents an open door for attackers to hijack communications, so in a robust system, policies would be set for strong encryption for device communication.  Only devices that meet that standards (e.g. are compliant) would be allowed to access the system. That compliance should be monitored continuously, and the policies that determine compliance should be evaluated periodically at minimum, to ensure they remain robust.

  • Getting There: Implement asset management systems to rigorously track compliance and log any violations. As your organization matures, integrate real-time compliance checks and automated remediation for non-compliant devices. These steps are vital because even a single non-compliant device can pose significant risks to your network. As your system and security approach matures, introduce more compliance criteria to ensure that device risk posture, function, and behavior factors into access decisions.

  • Takeaway: Non-compliant devices represent a serious threat. Regular compliance checks and real-time monitoring are crucial for mitigating these risks and maintaining a secure environment.

Device Authorization with Real-Time Inspection

  • Overview: In a Zero Trust environment, relying on outdated information for access decisions can lead to security gaps. Continuous, real-time inspection and reauthorization of devices are necessary to ensure that only trustworthy devices are granted access. Access decisions should always be based on the most current and accurate information available. Security teams must consider not only ideal compliant states (the target state for a given device) but also its current state and history as well to get the full picture for overall security health and risk posture.

  • Getting There: Start by assigning unique identifiers to every device and implementing basic risk assessment tools. As you progress, integrate advanced security tools and establish continuous monitoring to inform real-time authorization decisions. This approach ensures that trust is not static but is constantly reassessed based on up-to-date data.

  • Takeaway: Trust in devices should be dynamic and subject to continuous re-evaluation. Using real-time data for access decisions is essential for maintaining a secure Zero Trust environment.

Remote Access Protection

  • Overview: Since 2020, the world has shifted to remote access. Great for my commute, but a challenge for device security. Remote work environments bring increased security challenges (like traffic monitoring and modification), making stringent controls essential. Devices accessing the network remotely must undergo continuous authentication and monitoring, with strict policies governing their access to ensure that remote connections do not introduce vulnerabilities. Device attributes become increasingly important with remote access, ensuring that those devices have least-privilege access to critical and sensitive information.

  • Getting There: Establish dynamic access policies that include implicit denials and explicit approvals for remote devices. Ensure that compliance tracking for these devices is thorough, and automate remediation processes to quickly address any issues. Given the inherent risks of remote access, additional scrutiny and protection measures are necessary.

  • Takeaway: Remote access poses higher security risks, and robust protection measures are needed to mitigate these risks. Implementing strict access and monitoring policies that consider device attributes and context-awareness for access requests is crucial for maintaining network security in remote work environments.

Automated Vulnerability and Patch Management

  • Overview: Patch and update management is a thorn in everyone’s side, but at the end of the day, outdated systems are more vulnerable-and those vulnerabilities are potential access points for attackers. How do we manage the toil of updating and testing patches? We automate it. Managing device vulnerabilities and patches in an automated fashion is crucial for reducing the risk of attacks that exploit known weaknesses. Regular updates and patches are a fundamental requirement in a ZT environment to ensure that all devices remain secure.

IMPORTANT NOTE: What we all learned on July 19th, 2024, is that it is crucial to test patches and updates to ensure they don’t introduce unexpected and undesirable outcomes. In the case of the aforementioned CrowdStrike update, the unexpected outcome was total meltdown for customer windows endpoints and Azure cloud. Untested updates can result in inefficiencies and vulnerabilities that manifest themselves in more subtle ways that must still be managed. Organizations must be aware that firmware patches, especially those below the software layer, often require attention beyond standard OS updates. These patches can come from system vendors for fixed components like CPU microcode or from individual component manufacturers, such as SSD firmware updates, making thorough testing essential to avoid inefficiencies and vulnerabilities. Either way, testing patches is critical.

  • Getting There: Start with manual patch management if necessary, but aim to quickly transition to automated systems that can test and deploy patches efficiently. It’s important to ensure that all devices, including firmware, are regularly updated (after testing!) to minimize vulnerabilities.

  • Takeaway: Keeping devices up to date is vital for maintaining security. Automating patch management processes is essential to ensure that vulnerabilities are addressed promptly and effectively.

Centralized Device Management

  • Overview: We’ve talked about all the ways we need to secure our on-prem and remote devices, and it’s an extensive list of ‘to-dos’. We can ease the toil on our security teams by centralizing those efforts using tooling, namely unified endpoint management (UEM) solutions for traditional IT devices and mobile device management (MDM) solutions for mobile devices. Centralized management tools are critical for securely managing, monitoring, and deploying resources across all devices from a single console. These tools enable consistent security configurations and compliance enforcement, which are essential for maintaining control over your organization’s security posture. They also offer security teams a unified view of the system, allowing them to leverage advanced tooling (AI/ML) and automations to enhance detections, efficiency, and compliance.

  • Getting There: Implement centralized solutions for managing device compliance and integrate them with inventory management systems. As your organization matures, aim to centralize all aspects of device management to ensure consistent enforcement of security policies and to streamline management processes.

  • Takeaway: Centralized device management is key to maintaining control over device security and compliance across your organization. It provides the consistency and oversight needed to monitor and enforce security policies effectively.

Endpoint Threat Detection and Response

  • Overview: Taking the tooling conversation a step further is endpoint detection and response (EDR) tooling. EDR capabilities are a critical component of a Zero Trust framework, as they provide continuous monitoring and response to malicious activities in real time.  This ensures that devices remain secure against evolving threats. We must assume that devices are compromised, and EDR tooling allows us to respond to those compromises more quickly. Established centralized device management, EDR can fuel security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities, allowing security teams to leverage these critical parts of the automation and orchestration pillars.

  • Getting There: Begin with basic antimalware solutions and manual remediation, but plan to integrate more advanced EDR/XDR solutions as your organization matures. These tools should correlate data across devices and automate threat detection and response to provide a comprehensive security posture. Look to integrate these tools into your SIEM and SOAR systems as early as possible, or use them to create those capabilities if none exist.

  • Takeaway: EDR/XDR tools are essential for real-time threat detection and response, forming a cornerstone of device security in a ZT environment. Integrating these tools across your network is crucial for maintaining a strong defense against threats.

Leading the Zero Trust Charge with Device Security

For organizations looking to mature their zero trust posture, focusing on the device pillar is a must. Securing your devices is a big lift, but it’s a foundational one for advancing your zero trust journal and building a more robust security capability.  By following the NSA’s guidance, you can ensure that your devices are securely managed, continuously monitored, and properly authenticated. As a quick recap, here’s how we can address device security in a zero trust fashion:

  1. Start by building a comprehensive device inventory

  2. Enforce compliance and real-time authorization

  3. Secure remote access

  4. Automate vulnerability management

  5. Centralize device management and monitoring

  6. Deploy robust endpoint detection and response systems

Yes, this is a long process, but even incremental progress can enable organizations to build iteratively on their device security, and there are some great resources and tools out there that can make this process less painful for your teams. Ultimately, the longer you wait to address your device security, the more complicated your system becomes, and the harder it gets to start.

Need help with zero trust implementation? We’re here to support your journey toward a secure, resilient enterprise. Reach out to learn how we can assist you in advancing your ZT maturity.


Aquia

Securing The Digital Transformation ®

Aquia is a cloud and cybersecurity digital services firm and “2024 Service-Disabled, Veteran-Owned Small Business (SDVOSB) of the Year” awardee. We empower mission owners in the U.S. government and public sector to achieve secure, efficient, and compliant digital transformation.

As strategic advisors and engineers, we help our customers develop and deploy innovative cloud and cybersecurity technologies quickly, adopt and implement digital transformation initiatives effectively, and navigate complex regulatory landscapes expertly. We provide multi-cloud engineering and advisory expertise for secure software delivery; security automation; SaaS security; cloud-native architecture; and governance, risk, and compliance (GRC) innovation.

Founded in 2021 by United States veterans, we are passionate about making our country digitally capable and secure, and driving transformational change across the public and private sectors. Aquia is an Amazon Web Services (AWS) Advanced Tier partner and member of the Google Cloud Partner Advantage Program.

Previous
Previous

Six Business-Critical Gaps Uncovered in AppOmni’s “The State of SaaS Security” Report

Next
Next

TL;DR: The NSA’s “Advancing Zero Trust Maturity Throughout the Automation and Orchestration Pillar” Cybersecurity Information Sheet