Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
Identification and authentication of system components and component configurations can be determined, for example, via a cryptographic hash of the component. This is also known as device attestation and known operating state or trust profile. A trust profile based on factors such as the user, authentication method, device type, and physical location is used to make dynamic decisions on authorizations to data of varying types. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt the identification and authentication of other devices.
[NIST IR 8011-1] provides guidance on using automation support to assess system configurations.
This requirement can be achieved in several ways, such as blocking based on posture assessments, conditional access, or trust profiles. A posture assessment can be used to assess a given system’s posture to validate that it meets the standards set by the organization before allowing it to connect. Conditional access is the set of policies and configurations that control devices receiving access to services and data sources. Conditional access helps an organization build rules that manage security controls, perform blocking, and restrict components. A trust profile is a set of factors that are checked to inform a device that a system can be trusted.
In a Windows environment, you authorize devices to connect to systems by defining configuration rules in one or more Group Policy Objects (GPO) that can be automatically applied to all relevant devices in a domain [a]. This provides you with a mechanism to apply rules for which devices are authorized to connect to any given system and prevent devices that are not within the defined list from connecting [b,c]. For instance, universal serial bus (USB) device rules for authorization can be defined by using a USB device’s serial number, model number, and manufacturer information. This information can be used to build a trust profile for a device and authorize it for use by a given system. You use security policies to prevent unauthorized components from connecting to systems [c].
You have been assigned to build trust profiles for all devices allowed to connect to your organization’s systems. You want to test the capability starting with printers. You talk to your purchasing department, and they tell you that policy states every printer must be from a specific manufacturer; they only purchase four different models. They also collect all serial numbers from purchased printers. You gather this information and build trust profiles for each device [a,b]. Because your organization shares printers, you push the trust profiles out to organizational systems. Now, the systems are not allowed to connect to a network printer unless they are within the trust profiles you have provided [b,c].
Your organization has implemented a network access control solution (NAC) to help ensure that only properly configured computers are allowed to connect to the corporate network [a,b]. The solution first checks for the presence of a certificate to indicate that the device is company-owned. It next reviews the patch state of the computer and forces the installation of any patches that are required by the organization. Finally, it reviews the computer’s configuration to ensure that the firewall is active and that the appropriate security policies have been applied. Once the computer has passed all of these requirements, it is allowed access to network resources and defined as a trusted asset for the length of its session [a]. Devices that do not meet all of the requirements are automatically blocked from connecting to the network [c].
Potential Assessment Considerations
- If the organization is using a manual method, is the method outlined in detail so any user will be able to follow it without making an error [b,c]?
- If the organization is using an automated method, can the organization explain how the technology performs the task? Can they explain the steps needed to implement [a,b,c]?
- Can the organization provide evidence showing they have trust profiles for specific devices [a,b,c]?
- Can the organization explain how their system components authenticate to a system if they are not using trust profiles [b,c]?