Zeroing in on Devices: Why modern device management is vital

It is obvious that the modern enterprise perimeter is no longer limited to physical assets in the data center. As agencies continue to adopt zero trust principles and mature their zero trust architectures, identities have become the new firewall – with devices the de facto perimeter. As stated in OMB Memo M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, by FY24, agencies are expected to inventory every device that is operated and authorized for government use as well as be able to respond to incidents on those devices. Modern device management is thus fundamental to zero trust – yet it is often given a lessor priority.

To explore the momentum, priorities, and challenges around the evolution to zero trust, MeriTalk and Merlin Cyber surveyed more than 150 federal cybersecurity executives. In part two of a four-part webinar series that explores the findings of the “Zeroing In: 2022 State of Federal Zero Trust Maturity” survey, MeriTalk and Miguel Sian, Merlin’s Vice President of Technology, sat down with Richard Grabowski, Acting Program Manager, CDM Program, Cybersecurity and Infrastructure Security Agency and Bryan Ware, President, Next5, to discuss the Device Pillar. This blog post captures some of the key parts of their conversation.

Note: The views presented by Richard Grabowski, CISA, and Bryan Ware, Next5, are theirs alone and do not necessarily represent the official views of CISA or Next5, respectively. Further, neither Mr. Grabowski, CISA, Mr. Ware nor Next5 expressly or impliedly endorse Merlin Cyber Security, its products, or the views of any of the other panelists of the virtual event.

MeriTalk: Just under half in our survey of both federal civilian and DoD respondents rank the Device Pillar as less important than the others, especially DoD agencies. Bryan, does this surprise you at all? Why might agencies feel this is a lower priority?

Bryan Ware: There are probably two or three things happening here. First, when we think about the word ‘priority,’ sometimes that means what we have to get to first. Sometimes it means what is most important, and it can be a combination of those two. Device is certainly not something to ignore or something that you would want to say is not a priority, but most of us can’t juggle five balls at the same time. Next, when we expand the concept of device beyond workstations to include mobile and IoT devices, there aren’t clear next steps to take that will cover all of that device exposure. Where I see CISA going is getting our hands around ‘device,’ and committing to a path forward.

Richard, while CISA lists the device as the second pillar, the research shows that agencies are generally implementing it either second or third. Can you talk about the importance of the device pillar and how it plays into the remaining three pillars of application, network, and data?

Richard Grabowski: To begin with, this isn’t just about the pillars in isolation. It’s about the entirety. All of the pillars are to be integrated to support processes such as dynamic and near-real-time automation and orchestration. Devices are important for multiple reasons. First and foremost, it’s a primary attack vector. Adversaries still very much pay attention to devices because that’s where the humans are, and humans are a weak link. Beyond that, looking at Log4j and the SolarWinds events, software installed on devices can open the door to other kinds of horizontal attacks and critical vulnerabilities.

Miguel Sian: Richard makes an excellent point. Thinking in terms of the software supply chain, the software that runs on devices is usually where adversaries try to get an advantage over security measures. Once an attacker gains access, the first thing they do is reconnaissance to find out what vulnerabilities on the device can help them to elevate privilege or move laterally. When it comes to device firmware or software, we need to know what our vulnerabilities are. There is a very good resource on CISA’s website that catalogs the critical vulnerabilities that should be prioritized. With that said, the endpoint has the richest form of data telemetry that can be leveraged by an agency for defense. Endpoint detection and response (EDR) is an essential component for transitioning to zero trust architecture, because every device that connects to a network is a potential attack vector.

Miguel, where do you see the Device Pillar fitting into agencies’ overall zero trust architectures?

Sian: Clearly, device is tightly coupled with identity. How else would a user use an application or get to data? To the point that all of these things are contained in the Zero Trust Maturity Model, all those are interconnected and need to be looked at as a system. If you go back to OMB’s M-22-09 memorandum, it describes the zero trust objectives for identity and devices that agencies need to achieve by the end of FY24. As a first step, let’s look at identity as a data point and device telemetry as a data point, combine the two, perform analytics, and decide based on the result as to whether to allow or block that combined user and device from the network.

Overall, 79% of DoD and 82% of federal civilian agencies say reaching optimal maturity for the Device Pillar will be a challenge, with 79% of DoD and 80% of federal civilian agencies anticipating automation and orchestration to be somewhat or very challenging. CISA defines optimal maturity as when device capacity and deployment use continuous integration and continuous deployment (CI/CD) principles with dynamic scaling. Miguel, what does it mean to reach optimal maturity and what steps are you seeing agencies take to move beyond traditional automation and orchestration?

Sian: I think the challenge is that when you hear the term CI/CD, it’s not really associated with device or device provisioning. It’s typically associated with application development, usually in the context of Agile DevOps principles. My theory is when someone reads this optimal goal, it is too nebulous to understand what CI/CD means for devices. If we understand the fundamental principles of CI/CD, the takeaway is to be fast in what you do. To have agility in orchestrating devices, you need to think about it in a composite form. Meaning, can we make our devices more composable, such as putting the operating system and application on it, so that we can act more quickly and efficiently in terms of provisioning devices.

Software-defined constructs and virtualization technology, perhaps provisioned in cloud as a management layer, are readily available technologies that agencies can leverage to help with device management. Concepts like unified endpoint management, which allows an agency to use a single system to manage traditional devices, like laptops and desktops, and also mobile devices, is key. Modern device management is something that I believe we will hear more about, especially with the guidance from CISA that describes how we can align zero trust with our mobile estate and enterprise mobility strategy. That is going to be important going forward because we really need to think about devices beyond traditional endpoints that help us to do our work on a day-to-day basis.

Moving on to governance, 79% of DoD and 78% of federal civilian agencies anticipate this to be somewhat or very challenging. Miguel, what are you hearing from agency leaders as to their biggest governance pain points?

Sian: The governance around mobile and IoT has been a challenge. When you think about mobile and IoT, the diversity of devices is exponentially more than what you might find with respect to traditional workstations and laptops. Just think about your personal experience. How many devices do you use to access your corporate IT? Generally speaking, users have three or four devices that have to be administered in a network. Extrapolate that with the number of users. Now think about IoT devices that exist within an agency. For the most part, agencies have good policies, procedures, and governance around how to manage desktops and laptops, but when it comes to mobile and IoT, the governance policies and procedures are not as mature.


Want to understand more about the momentum, priorities, and challenges around agency adoption of zero trust? Download our report, “Zeroing In: 2022 State of Federal Zero Trust Maturity.” And register now to join us on April 19 for a discussion about the Network pillar as part three of our four-part webinar series on zero trust maturity.

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

How PAM Can Protect Feds From Third Party/Service Account Cyber Attacks

Share This