Addressing PSN Code of Connection Requirements using ForeScout CounterACT Highlights Real-time Visibility Gain automated, real-time visibility of all devices as they connect to your network, including mobile, remote, unmanaged and unauthorised devices. Asset Intelligence Generate a real-time inventory of everything on your network — devices, hardware, operating systems, applications, application versions, patch levels, processes, open ports, peripheral devices, users and more. Policy-based Access Control Limit access to PSN services — allow only managed devices and authorised users to connect to the PSN network. Restrict unmanaged (BYOD) devices to non-PSN network zones and services. Continuous Monitoring Assess the security and compliance posture of all endpoints in real-time while they are connected to the PSN network. Detect endpoint configuration and compliance violations and tailor the response based on severity of the violation. Automated Remediation Automate the remediation of noncompliant endpoints by updating patches, security updates, endpoint security and management agents, and installing, activating or disabling applications or peripherals. Solution Brief The Public Services Network (PSN) is an initiative to unify the network infrastructure across the UK public sector into an interconnected “network of networks”. It creates a single logical network, based on industry standards, and a more efficient Information and Communication Technology (ICT) marketplace for the public sector. The PSN allows public sector organisations to access and use shared services across the central government as well as the wider public sector. The goal is to reduce the cost of ICT services across the UK government and enable more citizen-centric services to be handled at the council level. To achieve greater sharing of ICT services, the PSN has to be an assured network over which government departments can safely share information. Consequently, the UK Cabinet Office requires more accountability and a greater focus on compliance to be placed on connected organisations. ................................................................................................. A Zero Tolerance Approach to PSN Compliance PSN Code of Connection Requirements Organisations that wish to connect to the PSN and use its shared services need to comply with the PSN Code of Connection (CoCo). Before your organisation can be connected to the PSN, you must be accredited and achieve PSN CoCo compliance. No remedial action plans or weak compliance positions are accepted by the PSNA. You will either be assessed as compliant or your request to connect will be rejected. To ensure you remain connected, you need to complete and return your CoCo annually in advance of expiry. The PSN CoCo is an Information Assurance (IA) mechanism to support the connection of a network to another accredited network, without increasing or substantially changing the risks to the already accredited network. When a network connects to the PSN, the risks are not just to the PSN itself, but also to all of the other organisations connected to the PSN. Thus, the CoCo is intended to create a trust model across the PSN and between connected public sector departments. The information assurance conditions defined in the CoCo are a framework of controls that must be applied by any organisation wishing to use PSN services. These conditions are intended to provide a baseline connection standard for all organisations. The secure sharing of PSN information and services relies on all public sector organisations implementing their IA controls effectively. Consequently, the PSN Authority (PSNA) that oversees the operational and compliance aspects of PSN has adopted a zero tolerance approach to PSN compliance. Noncompliance results in disconnection and the associated disruption to services. 1 The PSN CoCo covers all users and devices that have access to the PSN or PSN-connected systems and services. This includes remote access and mobile devices. The use of unmanaged endpoints, including the use of personal devices (BYOD), to access the PSN or PSN services is not permitted. Organisations have to demonstrate that such devices cannot gain access to the PSN or PSN-connected systems and services. The use of unmanaged devices on non-PSN network zones is allowed as long as they are prevented from accessing the PSN network through appropriate access controls and/or network zoning. The PSN CoCo requires that your organisation be able to demonstrate technical control over any device that has access to PSN services/networks. Hardware and software must be locked-down so that functionality is limited to what is required for the provision or consumption of PSN services. You must be able to detect any deviations from your standard configurations, and you must be able to prevent execution of unauthorised software. Addressing PSN Code of Connection Requirements using ForeScout CounterACT Highlights (continued) Non-disruptive Deployment Seamlessly deploy within an existing heterogeneous network without the need to re-architect the network, deploy in-line, upgrade the network infrastructure or install additional endpoint agents. Accelerated Results Achieve meaningful results on Day 1 with rapid and easy deployment and a built-in knowledge base to configure and implement security policies quickly and accurately. Non-intrusive Experience Ensure a positive end-user experience through an easy-to-use, agentless approach which minimises user disruption and maximises productivity. Cost Savings Deploy a cost-effective PSN security solution with low TCO and minimal administrative overhead. Eliminate manual processes associated with assessing, reviewing, remediating and reporting on PSN CoCo compliance. Solution Brief In addition to complete visibility of all devices, you must also demonstrate the ability to assess endpoint compliance and remediate endpoint deficiencies. Where possible, you are required to update to the latest versions of software. Patches and security updates must be applied with minimal delay, and they should be audited to ensure compliance with the organisation’s policy. You must demonstrate technical controls for disabling removable media or restricting connection to authorised peripheral devices. Your CoCo submission, and your implementation of its controls, remains a cornerstone of the IA trust model. It proves to other organisations with which you share information that you have implemented the appropriate information assurance controls. Since this end-to-end trust model places increased focus on the compliance of connected networks, devices and users, public sector organisations like yours are left grappling with several new challenges including: •• How do you gain visibility of all devices connected to the network, including unmanaged and BYOD endpoints? •• How can you effectively profile and classify devices based on type, connection attributes, ownership and status (managed vs. unmanaged), without the use of agents? •• How do you implement access control policies to automatically separate and restrict unmanaged endpoints from accessing the PSN or PSN originated data? •• How to achieve continuous monitoring of endpoint compliance posture and continuous mitigation of endpoint security deficiencies? Using ForeScout CounterACT™ to Comply with PSN Code of Connection ForeScout CounterACT addresses several key requirements of the PSN CoCo and can contribute significantly to achieving compliance with the PSN IA conditions. CounterACT provides real-time visibility and control for all endpoints on your network including laptops, desktops, smartphones, tablets and other mobile devices connected to your network. CounterACT uses a combination of discovery techniques to accurately classify endpoints through passive and active interrogation. CounterACT’s agentless solution enables it to work with all types of endpoints — managed and unmanaged, known and unknown (see Figure 1). CounterACT eliminates blind spots — if it’s on your network, CounterACT sees it. • Employee • Partner • Guest Who is the user? Restrict to non-PSN Network • Corporate/council (managed) Is the device managed? • BYOD/personal (unmanaged) What type of device? • Windows • Mac • iOS • Android • Printer/non-user Is the device compliant? • Configuration • Software • Security agents Does device require remediation? • OS updates • Software versions • Applications & active content • Removable media Public Service Network CounterACT Remediate Figure 1: ForeScout CounterACT helps achieve PSN compliance by providing complete visibility and control over managed and unmanaged devices. © 2013 ForeScout Technologies, Page 2 © 2014 ForeScout Technologies, Page 2 2 Addressing PSN Code of Connection Requirements using ForeScout CounterACT CounterACT can assess the security posture of all endpoints on your network, including unmanaged devices that aren’t visible to your existing endpoint management systems. Posture assessments can be performed without the need to install a persistent agent on devices. This aids in rapid deployment, ease of operation and low total cost of ownership of the CounterACT system. ForeScout CounterACT ensures that only the right people with the right devices gain access to the right network resources. CounterACT can allow, limit or block network access based on device type, status (managed or unmanaged), security posture and other Solution Brief device attributes. Unmanaged endpoints can be restricted to specific non-PSN network zones and enclaves using virtual firewall technology, VLANs and ACLs. Non-compliant managed endpoints can be placed in a remediation zone and allowed PSN network access only after all compliance deficiencies are addressed (see Figure 1). CounterACT can perform a wide range of compliance checks including monitoring for required software and software versions/ patches, device configuration and endpoint vulnerabilities , unauthorised software and peripherals, just to name a few. CounterACT can perform automated or administratorinitiated endpoint remediation actions such as updating antivirus, prompting a patch management system to update the device’s operating system, disabling unauthorised software and peripherals, and re-installing, enabling, reconfiguring or updating endpoint security agents. ForeScout CounterACT is offered as either a virtual or physical appliance that deploys seamlessly within your existing heterogeneous network, requiring no infrastructure changes or upgrades. The CounterACT appliance installs out-of-band, avoiding latency or potential for network failure, and can be centrally administered to dynamically manage tens or hundreds of thousands of endpoints from one console. PSN Code of Connection Annex B Reference At its core, the Code of Connection is about creating an end-to-end trust model across the PSN. The CoCo incorporates several control objectives including aspects of governance, technical interoperability requirements, service management expectations and information assurance requirements. The table below shows how ForeScout CounterACT addresses several key IA requirements, known as ”Customer IA Conditions” in the PSN CoCo Template Annex B version 2.7. Condition No. Requirement Relevant CounterACT Functionality Configuration (CON) CON.1 Hardware and software shall be locked-down in accordance with the organisations lock down policy and is part of an overall risk managed approach so that functionality is limited to what is required for the provision or consumption of the PSN service. CounterACT can monitor the hardware and software configuration of all endpoints to ensure they stay compliant with the organisations policy. It can detect and remediate configuration drift. CON.2 The execution of unauthorised software shall be prevented. CounterACT can perform a wide range of compliance checks including monitoring and disabling unauthorised software. CON.3 Organisations shall have in place a configuration control process which prevents unauthorised changes to the standard build of network devices and hosts. CounterACT can assess endpoint security and compliance posture, and remediate endpoint configuration and compliance violations with actions such as: Deviations from standard configurations, and unauthorised changes should be detected, either through monitoring, file integrity checking, regular reviews or IT Health Checks. Where possible, the latest versions of software, service packs and updates should be used at the earliest opportunity. These should include the latest security updates. Older versions of software may be out of support, and security updates may not be available. CON.5 Customers allowing active content shall be able to demonstrate that this is done as part of an overall risk managed approach. Therefore risks from allowing Active Content shall be understood and appropriate controls shall be implemented. •• preventing configuration drift from standard configuration •• triggering latest patch and security updates to be installed •• updating software versions •• updating anti-virus and other security software definitions CounterACT can restrict devices running active content. It can also ensure that devices required to run active content are patched with the latest security updates in order to eliminate known active content vulnerabilities. Access to active content should be restricted if it is not required. Compliance Checking (CHE) CHE.1 Organisations shall implement an annual programme of IT Health Checks to validate equipment not provided as part of a PSN service that interacts with PSN services. It is extremely important to ensure that the operating systems, software and hardware are configured securely when they are installed and that they are patched regularly. 3 CounterACT can continuously monitor and remediate endpoint compliance deficiencies with actions including: •• preventing configuration drift from standard configuration •• installing latest patches, security updates and software versions •• updating anti-virus and other security software definitions Addressing PSN Code of Connection Requirements using ForeScout CounterACT Condition No. Solution Brief Requirement Relevant CounterACT Functionality Patch Management (PAT) PAT.2 Patches shall be applied with minimal delay and audited to ensure compliance with the organisation’s policy. CounterACT can directly update or prompt a patch management system to update an endpoint’s operating system and software. Access Control (ACC) ACC.2 The customer shall implement an organisational access control policy that is deemed sufficient to manage the risk that the organisation is exposed to. This policy shall cover remote/mobile solutions where appropriate. CounterACT can allow, limit or block network access based on device type, status (managed or unmanaged), security posture and user credentials. It integrates with existing directory systems or other authentication systems. Removable Media (MED) MED.1 As part of an overall risk management approach, customers shall have a policy for removable media that addresses the risks of using removable media. CounterACT can perform a wide range of compliance checks including monitoring and disabling unauthorised peripherals such as USB devices. Technical controls can include disabling devices e.g. through Group policy to disable USB, or through products that only allow the connection of authorised devices. Mobile/Home Working (MOB) MOB.2 The organisation must be able to show appropriate control and management of the technical environment of any device that has access to PSN services/ networks. CounterACT can discover all devices on the network including unmanaged and rogue devices. Unmanaged endpoints can be restricted to non-PSN network zones. Managed endpoints are posture checked and then allowed on the PSN network. MOB.3 Any mobile/remote device that has access to PSN services/networks shall be considered by the organisational lockdown and configuration management policies. CounterACT can assess the security posture of remote and mobile devices and remediate endpoint compliance violations with actions such as: As with any endpoint, mobile devices should run Anti Malware software and be securely configured. They should also run a personal firewall and all relevant security patches should be applied. •• preventing configuration drift from standard configuration •• triggering latest patch and security updates to be installed •• updating anti-virus and other security software definitions •• ensuring mandatory software is installed and running MOB.5 Remote/mobile devices shall employ encryption to protect data at rest and in transit. The cryptography used shall have a suitable level of assurance. CounterACT can continuously monitor endpoints to ensure that encryption software is installed, enabled and configured correctly. Wireless Networks (WIR) WIR.1 Where the customer connects or consumes PSN services from wireless networks/devices the customer shall do so in accordance with an organisational wireless policy that identifies and mitigates the risks of using wireless networks/ devices and offers mitigation to those risks i.e. via secure configuration in line with public sector guidance. CounterACT can see all devices on the network, including unmanaged and unauthorised devices. It can block or quarantine unauthorised wireless devices and rogue wireless access points from the network. Network vulnerability scanning tools should be used to identify access points, and any unauthorised devices should be disabled immediately. Take the ForeScout Challenge Let us know which ForeScout solution is right for you, and we’ll arrange a free on-site evaluation. About ForeScout ForeScout delivers pervasive network security by allowing organisations to continuously monitor and mitigate security exposures and cyber attacks. The company’s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility, intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorised partners worldwide. Learn more at www.forescout.com. ............................................................................................................................................... ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA 95008 U.S.A. Contact Us (USA) T 1-866-377-8771 (US) T 1-408-213-3191 (Intl.) F 1-408-371-2284 (Intl.) www.forescout.com Contact Us (UK) T +44(0) 2071 580 827 E networksecurity@forescout.com ©2014 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: 2014.0124 4
© Copyright 2024