Description: Besides relying on a valid username/password, authentication should take into consideration additional context about the device used to determine if the device itself has been compromised. This context helps prevent the spread of malware and limiting lateral movement by denying infected systems access. This also allows access to be limited to company issued or company managed devices.
Benefit: Protects critical systems and prevents the spread of malware.
Implementation Approaches
Security Frameworks
NIST Cybersecurity Framework 1.1
- PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction
- DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
NIST SP 800-207; Zero Trust Architecture
- 2: Does the device used for the request have the proper security posture?
- 2.1.4: Requesting asset state can include device characteristics such as software versions installed, network location, time/date of request, previously observed behavior, and installed credentials.
- 3: CDM systems are also responsible for identifying and potentially enforcing a subset of polices on nonenterprise devices active on enterprise infrastructure.
| Title | Installed Software and OS Settings |
| Technology Components | Unified Endpoint Management (UEM) Endpoint Detection & Response (EDR) Endpoint Protection Platform (EPP) Access Management (AM) |
| Description | Leveraging additional context from the security posture of the device, and ensuring minimum device compliance before allowing access to the network or application is permitted. This can and should include both items that the device MUST HAVE (such as a recent OS update applied) but also items that the device MUST NOT HAVE (such as malware, rootkits, etc.). |
| Pre-requisites | Devices are managed by EDR, ERP and/or UEM EDR, EPP and/or UEM is in place with the ability to monitor installed Software and OS settings on devices EDR, EPP and/or UEM is integrated with IAM to provider device posture information IAM is configured to look for 3rd party device posture during authentication to determine the risk and react accordingly |
| Supporting Member Companies | ForgeRock, Okta, Ping Identity, ThreatMetrix, VMware WorkspaceONE, VMware Carbon Black |
| Title | Device Physical Attributes |
| Technology Components | Unified Endpoint Management (UEM) Endpoint Detection & Response (EDR) Endpoint Protection Platform (EPP) Access Management (AM) |
| Description | Leveraging additional context about the physical attributes of the device to apply access policies accordingly. Allows admins to apply different policies based on device type (e.g. laptop vs mobile device, iOS vs Android). |
| Pre-requisites | Devices are managed by EDR, ERP and/or UEM EDR, EPP and/or UEM is in place with the ability to monitor physical attributes on devices EDR, EPP and/or UEM is integrated with IAM to provider device posture information IAM is configured to look for 3rd party device posture during authentication to determine the risk and react accordingly |
| Supporting Member Companies | ForgeRock, Okta, Ping Identity, Thales, ThreatMetrix, VMware Carbon Black |
| Title | Device Physical Location |
| Technology Components | Unified Access Management (UEM) Access Management (AM) |
| Description | Leveraging additional context from the geolocation of the device, and ensuring authorized or consistent device location before allowing access to the network or application is permitted. This can and should include both locations that the device are authorized (such as a recent OS update applied) but also unauthorized locations for the device. |
| Pre-requisites | Devices are managed by UEM UEM is in place with the ability to monitor and detect physical location of devices UEM is integrated with IAM to provider device posture information IAM is configured to look for 3rd party device posture during authentication to determine the risk and react accordingly |
| Supporting Member Companies | ForgeRock, Okta, Ping Identity, Thales, ThreatMetrix, VMware WorkspaceONE |
