Addressing PSN Code of Connection Requirements using ForeScout CounterACT Solution Brief

Addressing PSN Code of Connection
Requirements using ForeScout
CounterACT
Highlights
Real-time Visibility
Gain automated, real-time visibility of all
devices as they connect to your network,
including mobile, remote, unmanaged
and unauthorised devices.
Asset Intelligence
Generate a real-time inventory of
everything on your network —
devices, hardware, operating systems,
applications, application versions, patch
levels, processes, open ports, peripheral
devices, users and more.
Policy-based Access Control
Limit access to PSN services — allow
only managed devices and authorised
users to connect to the PSN network.
Restrict unmanaged (BYOD) devices to
non-PSN network zones and services.
Continuous Monitoring
Assess the security and compliance
posture of all endpoints in real-time
while they are connected to the PSN
network. Detect endpoint configuration
and compliance violations and tailor
the response based on severity of the
violation.
Automated Remediation
Automate the remediation of noncompliant endpoints by updating
patches, security updates, endpoint
security and management agents,
and installing, activating or disabling
applications or peripherals.
Solution Brief
The Public Services Network (PSN) is an initiative to unify the network infrastructure across the
UK public sector into an interconnected “network of networks”. It creates a single logical network,
based on industry standards, and a more efficient Information and Communication Technology
(ICT) marketplace for the public sector.
The PSN allows public sector organisations to access and use shared services across the central
government as well as the wider public sector. The goal is to reduce the cost of ICT services across
the UK government and enable more citizen-centric services to be handled at the council level.
To achieve greater sharing of ICT services, the PSN has to be an assured network over which
government departments can safely share information. Consequently, the UK Cabinet Office
requires more accountability and a greater focus on compliance to be placed on connected
organisations.
.................................................................................................
A Zero Tolerance Approach to
PSN Compliance
PSN Code of Connection
Requirements
Organisations that wish to connect to the PSN
and use its shared services need to comply
with the PSN Code of Connection (CoCo).
Before your organisation can be connected
to the PSN, you must be accredited and
achieve PSN CoCo compliance. No remedial
action plans or weak compliance positions
are accepted by the PSNA. You will either
be assessed as compliant or your request to
connect will be rejected. To ensure you remain
connected, you need to complete and return
your CoCo annually in advance of expiry.
The PSN CoCo is an Information Assurance
(IA) mechanism to support the connection
of a network to another accredited network,
without increasing or substantially changing
the risks to the already accredited network.
When a network connects to the PSN, the risks
are not just to the PSN itself, but also to all of
the other organisations connected to the PSN.
Thus, the CoCo is intended to create a trust
model across the PSN and between connected
public sector departments. The information
assurance conditions defined in the CoCo
are a framework of controls that must be
applied by any organisation wishing to use
PSN services. These conditions are intended to
provide a baseline connection standard for all
organisations.
The secure sharing of PSN information
and services relies on all public sector
organisations implementing their IA controls
effectively. Consequently, the PSN Authority
(PSNA) that oversees the operational and
compliance aspects of PSN has adopted a zero
tolerance approach to PSN compliance. Noncompliance results in disconnection and the
associated disruption to services.
1
The PSN CoCo covers all users and devices
that have access to the PSN or PSN-connected
systems and services. This includes remote
access and mobile devices. The use of
unmanaged endpoints, including the
use of personal devices (BYOD), to access
the PSN or PSN services is not permitted.
Organisations have to demonstrate that
such devices cannot gain access to the PSN
or PSN-connected systems and services.
The use of unmanaged devices on non-PSN
network zones is allowed as long as they are
prevented from accessing the PSN network
through appropriate access controls and/or
network zoning.
The PSN CoCo requires that your organisation
be able to demonstrate technical control
over any device that has access to PSN
services/networks. Hardware and software
must be locked-down so that functionality is
limited to what is required for the provision
or consumption of PSN services. You must
be able to detect any deviations from your
standard configurations, and you must be able
to prevent execution of unauthorised software.
Addressing PSN Code of Connection
Requirements using ForeScout
CounterACT
Highlights (continued)
Non-disruptive Deployment
Seamlessly deploy within an existing
heterogeneous network without the
need to re-architect the network,
deploy in-line, upgrade the network
infrastructure or install additional
endpoint agents.
Accelerated Results
Achieve meaningful results on Day 1
with rapid and easy deployment and a
built-in knowledge base to configure
and implement security policies quickly
and accurately.
Non-intrusive Experience
Ensure a positive end-user experience
through an easy-to-use, agentless
approach which minimises user
disruption and maximises productivity.
Cost Savings
Deploy a cost-effective PSN security
solution with low TCO and minimal
administrative overhead. Eliminate
manual processes associated with
assessing, reviewing, remediating and
reporting on PSN CoCo compliance.
Solution Brief
In addition to complete visibility of all devices,
you must also demonstrate the ability to assess
endpoint compliance and remediate endpoint
deficiencies. Where possible, you are required
to update to the latest versions of software.
Patches and security updates must be
applied with minimal delay, and they should
be audited to ensure compliance with the
organisation’s policy. You must demonstrate
technical controls for disabling removable
media or restricting connection to authorised
peripheral devices.
Your CoCo submission, and your
implementation of its controls, remains a
cornerstone of the IA trust model. It proves
to other organisations with which you share
information that you have implemented
the appropriate information assurance
controls. Since this end-to-end trust model
places increased focus on the compliance
of connected networks, devices and users,
public sector organisations like yours are
left grappling with several new challenges
including:
•• How do you gain visibility of all devices
connected to the network, including
unmanaged and BYOD endpoints?
•• How can you effectively profile
and classify devices based on type,
connection attributes, ownership and
status (managed vs. unmanaged),
without the use of agents?
•• How do you implement access control
policies to automatically separate and
restrict unmanaged endpoints from
accessing the PSN or PSN originated
data?
•• How to achieve continuous monitoring
of endpoint compliance posture and
continuous mitigation of endpoint
security deficiencies?
Using ForeScout CounterACT™
to Comply with PSN Code of
Connection
ForeScout CounterACT addresses several
key requirements of the PSN CoCo and
can contribute significantly to achieving
compliance with the PSN IA conditions.
CounterACT provides real-time visibility and
control for all endpoints on your network
including laptops, desktops, smartphones,
tablets and other mobile devices connected to
your network.
CounterACT uses a combination of discovery
techniques to accurately classify endpoints
through passive and active interrogation.
CounterACT’s agentless solution enables it to
work with all types of endpoints — managed
and unmanaged, known and unknown (see
Figure 1). CounterACT eliminates blind spots
— if it’s on your network, CounterACT sees it.
•  Employee
•  Partner
•  Guest
Who is the
user?
Restrict to
non-PSN
Network
•  Corporate/council
(managed)
Is the device
managed?
•  BYOD/personal
(unmanaged)
What type of
device?
•  Windows
•  Mac
•  iOS
•  Android
•  Printer/non-user
Is the device
compliant?
•  Configuration
•  Software
•  Security agents
Does device
require
remediation?
•  OS updates
•  Software versions
•  Applications &
active content
•  Removable media
Public
Service
Network
CounterACT
Remediate
Figure 1: ForeScout CounterACT helps achieve PSN compliance by providing complete visibility and control
over managed and unmanaged devices.
© 2013 ForeScout Technologies, Page 2
© 2014 ForeScout Technologies, Page 2
2
Addressing PSN Code of Connection
Requirements using ForeScout
CounterACT
CounterACT can assess the security posture
of all endpoints on your network, including
unmanaged devices that aren’t visible to your
existing endpoint management systems.
Posture assessments can be performed
without the need to install a persistent agent
on devices. This aids in rapid deployment,
ease of operation and low total cost of
ownership of the CounterACT system.
ForeScout CounterACT ensures that only
the right people with the right devices
gain access to the right network resources.
CounterACT can allow, limit or block network
access based on device type, status (managed
or unmanaged), security posture and other
Solution Brief
device attributes. Unmanaged endpoints
can be restricted to specific non-PSN
network zones and enclaves using virtual
firewall technology, VLANs and ACLs.
Non-compliant managed endpoints can be
placed in a remediation zone and allowed
PSN network access only after all compliance
deficiencies are addressed (see Figure 1).
CounterACT can perform a wide range of
compliance checks including monitoring
for required software and software versions/
patches, device configuration and endpoint
vulnerabilities , unauthorised software and
peripherals, just to name a few. CounterACT
can perform automated or administratorinitiated endpoint remediation actions such
as updating antivirus, prompting a patch
management system to update the device’s
operating system, disabling unauthorised
software and peripherals, and re-installing,
enabling, reconfiguring or updating endpoint
security agents.
ForeScout CounterACT is offered as
either a virtual or physical appliance that
deploys seamlessly within your existing
heterogeneous network, requiring no
infrastructure changes or upgrades. The
CounterACT appliance installs out-of-band,
avoiding latency or potential for network
failure, and can be centrally administered
to dynamically manage tens or hundreds of
thousands of endpoints from one console.
PSN Code of Connection Annex B Reference
At its core, the Code of Connection is about creating an end-to-end trust model across the PSN. The CoCo incorporates several control objectives
including aspects of governance, technical interoperability requirements, service management expectations and information assurance
requirements. The table below shows how ForeScout CounterACT addresses several key IA requirements, known as ”Customer IA Conditions” in
the PSN CoCo Template Annex B version 2.7.
Condition No.
Requirement
Relevant CounterACT Functionality
Configuration (CON)
CON.1
Hardware and software shall be locked-down in accordance with the
organisations lock down policy and is part of an overall risk managed
approach so that functionality is limited to what is required for the provision or
consumption of the PSN service.
CounterACT can monitor the hardware and software configuration of all
endpoints to ensure they stay compliant with the organisations policy. It can
detect and remediate configuration drift.
CON.2
The execution of unauthorised software shall be prevented.
CounterACT can perform a wide range of compliance checks including
monitoring and disabling unauthorised software.
CON.3
Organisations shall have in place a configuration control process which prevents
unauthorised changes to the standard build of network devices and hosts.
CounterACT can assess endpoint security and compliance posture, and remediate
endpoint configuration and compliance violations with actions such as:
Deviations from standard configurations, and unauthorised changes should be
detected, either through monitoring, file integrity checking, regular reviews or
IT Health Checks.
Where possible, the latest versions of software, service packs and updates
should be used at the earliest opportunity. These should include the latest
security updates. Older versions of software may be out of support, and security
updates may not be available.
CON.5
Customers allowing active content shall be able to demonstrate that this
is done as part of an overall risk managed approach. Therefore risks from
allowing Active Content shall be understood and appropriate controls shall be
implemented.
•• preventing configuration drift from standard configuration
•• triggering latest patch and security updates to be installed
•• updating software versions
•• updating anti-virus and other security software definitions
CounterACT can restrict devices running active content. It can also ensure that
devices required to run active content are patched with the latest security
updates in order to eliminate known active content vulnerabilities.
Access to active content should be restricted if it is not required.
Compliance Checking (CHE)
CHE.1
Organisations shall implement an annual programme of IT Health Checks to
validate equipment not provided as part of a PSN service that interacts with PSN
services.
It is extremely important to ensure that the operating systems, software and
hardware are configured securely when they are installed and that they are
patched regularly.
3
CounterACT can continuously monitor and remediate endpoint compliance
deficiencies with actions including:
•• preventing configuration drift from standard configuration
•• installing latest patches, security updates and software versions
•• updating anti-virus and other security software definitions
Addressing PSN Code of Connection
Requirements using ForeScout
CounterACT
Condition No.
Solution Brief
Requirement
Relevant CounterACT Functionality
Patch Management (PAT)
PAT.2
Patches shall be applied with minimal delay and audited to ensure compliance
with the organisation’s policy.
CounterACT can directly update or prompt a patch management system to
update an endpoint’s operating system and software.
Access Control (ACC)
ACC.2
The customer shall implement an organisational access control policy that is
deemed sufficient to manage the risk that the organisation is exposed to. This
policy shall cover remote/mobile solutions where appropriate.
CounterACT can allow, limit or block network access based on device type, status
(managed or unmanaged), security posture and user credentials. It integrates with
existing directory systems or other authentication systems.
Removable Media (MED)
MED.1
As part of an overall risk management approach, customers shall have a policy
for removable media that addresses the risks of using removable media.
CounterACT can perform a wide range of compliance checks including
monitoring and disabling unauthorised peripherals such as USB devices.
Technical controls can include disabling devices e.g. through Group policy to
disable USB, or through products that only allow the connection of authorised
devices.
Mobile/Home Working (MOB)
MOB.2
The organisation must be able to show appropriate control and management
of the technical environment of any device that has access to PSN services/
networks.
CounterACT can discover all devices on the network including unmanaged and
rogue devices. Unmanaged endpoints can be restricted to non-PSN network
zones. Managed endpoints are posture checked and then allowed on the PSN
network.
MOB.3
Any mobile/remote device that has access to PSN services/networks shall be
considered by the organisational lockdown and configuration management
policies.
CounterACT can assess the security posture of remote and mobile devices and
remediate endpoint compliance violations with actions such as:
As with any endpoint, mobile devices should run Anti Malware software and
be securely configured. They should also run a personal firewall and all relevant
security patches should be applied.
•• preventing configuration drift from standard configuration
•• triggering latest patch and security updates to be installed
•• updating anti-virus and other security software definitions
•• ensuring mandatory software is installed and running
MOB.5
Remote/mobile devices shall employ encryption to protect data at rest and in
transit. The cryptography used shall have a suitable level of assurance.
CounterACT can continuously monitor endpoints to ensure that encryption
software is installed, enabled and configured correctly.
Wireless Networks (WIR)
WIR.1
Where the customer connects or consumes PSN services from wireless
networks/devices the customer shall do so in accordance with an organisational
wireless policy that identifies and mitigates the risks of using wireless networks/
devices and offers mitigation to those risks i.e. via secure configuration in line
with public sector guidance.
CounterACT can see all devices on the network, including unmanaged and
unauthorised devices. It can block or quarantine unauthorised wireless devices
and rogue wireless access points from the network.
Network vulnerability scanning tools should be used to identify access points,
and any unauthorised devices should be disabled immediately.
Take the ForeScout Challenge
Let us know which ForeScout solution is right for you, and we’ll arrange a free on-site evaluation.
About ForeScout
ForeScout delivers pervasive network security by allowing organisations to continuously monitor and mitigate security exposures and cyber
attacks. The company’s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility,
intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric™ technology allows a broad range of IT security
products and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy,
unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell,
California, ForeScout offers its solutions through its network of authorised partners worldwide.
Learn more at www.forescout.com.
...............................................................................................................................................
ForeScout Technologies, Inc.
900 E. Hamilton Ave.,
Suite 300
Campbell, CA 95008
U.S.A.
Contact Us (USA)
T 1-866-377-8771 (US)
T 1-408-213-3191 (Intl.)
F 1-408-371-2284 (Intl.)
www.forescout.com
Contact Us (UK)
T +44(0) 2071 580 827
E networksecurity@forescout.com
©2014 ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March 2002. All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT and ControlFabric are
trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners.
Doc: 2014.0124
4