Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 149

Remember, devices are subjects in access control terms; therefore, whenever a device attempts to establish a connection with your networks or with a system, your organization's information security requirements should dictate how rigorously that device must authenticate its identity and then how your systems will authorize it to take whatever actions (such as accesses to objects) it attempts to do.

Device identity should be established with a combination of hardware, firmware, and software characteristics; this allows your systems to confirm that not only is the device itself known to your authentication system, but its firmware, systems-level software, and applications are all at or above the required update or patch level. Other information, such as the human user or organizational identity associated with that device, might also be something that authentication and authorization functions check and verify. Be aware that all of this information, starting with hardware-level IDs such as the media access control (MAC) address, can be spoofed or altered; choose your mix of authentication factors for devices with this in mind.

Chapter 6 will look into controlling and monitoring device access to your systems in greater depth, while Chapter 7 will provide insights on improving data security. Both are necessary parts of your defense against a business-killing data exfiltration before it occurs.