Cloud service providers should use equipment identification as a method for connection authentication. This can help validate that only authorized devices are connecting to cloud resources. Location-aware technologies can further enhance the integrity of this authentication by ensuring devices are connecting from expected locations.

Where did this come from?

CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4

This control maps to the CIS Control 1 - Inventory and Control of Enterprise Assets. More details here: https://www.cisecurity.org/controls/inventory-and-control-of-enterprise-assets

Who should care?

• Cloud security architects designing authentication and authorization controls
• Cloud operations teams responsible for managing and monitoring cloud resources
• Compliance officers ensuring the cloud environment meets relevant standards

What is the risk?

The main risk is unauthorized devices connecting to and potentially compromising cloud resources. Without strong device authentication:

• Malicious actors could spoof legitimate devices to gain access
• Stolen devices could be used to connect even after being reported as compromised
• Devices could connect from unexpected and high-risk locations

Equipment identification significantly mitigates these risks but does not eliminate them entirely. Additional controls like multi-factor authentication are still important.

What's the care factor?

For most organizations, especially those dealing with sensitive data, implementing equipment identification should be a high priority. Unauthorized access can lead to data breaches, interrupted services, and reputational damage.

However, for very small or low-risk deployments, the overhead of device authentication may exceed the benefits. A pragmatic risk assessment is advisable.

When is it relevant?

Equipment identification is most applicable when:

• The cloud environment contains valuable, regulated, or sensitive data
• A large number of devices need authorized access to cloud resources
• Devices connect from a variety of locations, especially uncontrolled networks

It may be unnecessary when:

• Dealing with only a small number of devices
• All access is from a tightly controlled on-premises network
• The data in the cloud is public or very low sensitivity

What are the trade offs?

Implementing equipment identification does come with some costs:

• Time and effort to set up and maintain the authentication system
• Potential for locked-out devices disrupting legitimate work
• Some authentication methods may require installing agents on devices
• Slightly more friction in the user connection experience

However, for most the security benefits will outweigh these relatively minor drawbacks.

How to make it happen?

The exact steps depend on your cloud platform and authentication system of choice. But a general approach is:

1. Choose a device authentication method. Options include certificates, pre-shared keys, one-time passwords, registered device serial numbers, etc.
2. If using location validation, choose a geolocation service. Many cloud platforms have this built-in.
3. Install and configure the authentication system. This usually involves:
   • Deploying an authentication service in your cloud environment
   • Installing any required agents or generating unique keys on the devices
   • Defining which cloud resources require device authentication to access
4. Register the authorized devices in the authentication system. Capture key details like serial number, assigned user, expected location.
5. Configure your cloud resources to require the chosen authentication method for access. Block or alert on unauthorized connection attempts.
6. Establish processes to keep the device inventory up-to-date. Ensure old devices are promptly removed.
7. Monitor authentication logs for any suspicious patterns. Investigate and remediate any potential breaches.

What are some gotchas?

• Ensure you have robust processes for device enrollment and retirement. Stale device records undermine the whole system.
• Some authentication methods require unique, immutable device identifiers. Not all devices expose this cleanly.
• Be cautious about over-reliance on location. Networks can be spoofed. Use location as a risk signal more than a hard pass/fail.
• For large fleets, consider an automated device management solution to handle enrollment and monitoring. Manual gets unwieldy fast.
• Ensure your authentication system fails closed. Mis-configured devices should be blocked, not allowed to connect unauthenticated.

What are the alternatives?

If full device authentication is impractical, consider other ways to validate device trust:

• Only allow access from your on-premises network IPs and force VPN usage
• Set up a zero-trust model authenticating users and controlling access at a granular level
• Use virtual desktop infrastructure, restricting data flow to unmanaged devices
• Aggressively monitor for and investigate suspicious device behavior

Explore further

• CIS Control 1 - Inventory and Control of Enterprise Assets: https://www.cisecurity.org/controls/inventory-and-control-of-enterprise-assets
• NIST SP 800-53 Rev 5 - IA-3 Device Identification and Authentication: https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/control?version=5.1&number=IA-3
• Cloud Security Alliance - Cloud Controls Matrix: https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4

‍