Changes to device posture can similarly immediately impact trust. Changes to trust definitions can be immediately reflected across the entire fleet. This means you can evaluate trust as often as you feel necessary. The frequency of device trust evaluation is independent from certificate issuance in a tiered access setup. Below are three ways in which tiered access helps address these concerns. Moving the trust evaluation out-of-band from the certificate issuance allows us to circumvent the challenges identified above in the traditional system. Trust decisions are then made by a separate system which can be modified without interfering with the certificate issuance process or validity. In this new model, certificates are simply used to provide the device’s identity, instead of acting as proof of trust. Tiered access attempts to address all these challenges, which is why we decided to adopt it. Additionally, if a device is found to be out of compliance with security policy, the only option is to remove all access by revoking the certificate, rather than degrading access, which can create a frustrating all-or-nothing situation for the user. On the other hand, if you require certificates to be installed monthly or daily, you have placed a significant burden on your users and/or support staff, as they are forced to go through the certification issuance process far more often, which can be time consuming and frustrating. Therefore, any new requirements you wish to add to the fleet may take up to a year before they are fully in effect.
#BEYONDCORP ARCHITECTURE INSTALL#
If you only install a new certificate once a year, this means it might take an entire year before you are able to recertify a device. The most significant challenge is the large amount of time in between trust evaluations. This implies you must have an additional infrastructure to bootstrap a device into a trusted state. This sounds reasonable on paper, but it unfortunately means that existing certificate infrastructure can’t be used to aid device provisioning. The next challenge introduced by traditional systems is the inherent requirement that a device must meet your security requirements before it can get a certificate. a dashboard displayed in a public space). corporate financials) or far less sensitive data (e.g.