2

I am learning a bit about IT-Security and I wonder if there is a concept where you can get certificates for a specific device that approves the device is safe and not compromised.

Lets say you want to use you own Laptop at work but they need to be sure your Laptop is not compromised. So you go somewhere to a trusted authority and they check your device and create some kind of certificate with all information according to this inspection, like the date and maybe a metric for how safe it is etc. Then you can show this certificate your boss that your laptop has been checked for viruses and vulnerabilities.

I tried to google it but I dont know if it exists or what to google for. Maybe you can give me some keywords to look for.

schroeder
  • 123,438
  • 55
  • 284
  • 319
hadamard
  • 125
  • 3
  • There are lots of "certificates", but they are for very specific things. "Not compromised" is too vague. For example EAL7+ proves formal verification of the operating system architecture. NATO SDIP-27 A is for resisting a specific type of "TEMPEST" attacks, etc. And there are hundreds of MIL-STDs. – forest Mar 10 '19 at 06:07

2 Answers2

3

Certificates like that only exist at the point of device manufacture. If you were to walk in, get it inspected and certified, then as soon as you walk out the door, the certificate is useless for determining if it is still fine. It only certifies the state of the device at the point in time of the inspection.

What is done instead is to run agents on the device that provide live updates on whether the device is fine or not. That agent can then talk to the network and the network can allow the device on the network. This is a form of Network Access Control. This can be done for employer-owned devices and is also used to allow BYOD devices onto an employer's network.

There are different ways of doing this, too. Either by enforcing a certain level of security on the device (by doing it) or by verifying what has been done and notifying the network as to the level of security that the device has. Different parts of the network can allow different levels of security, for instance.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

I am learning a bit about IT-Security and I wonder if there is a concept where you can get certificates for a specific device that approves the device is safe and not compromised.

Probably no, and I won't really spend any time on whatever this exists or not, but rather why it's worthless and pointless.

Security is not a state. It's a process. This can be seen for instance with operating system patches, and other software updates. Bugs are found in software, and some of them have security implications. If those bugs are known, but not patched, the system can no longer be considered secure, even though you could consider it secure yesterday. A certificate for the security of a device would be worthless the minute after it was issued.

Compare this with a lock. You may consider the lock secure, but if the key becomes known, you can't consider it secure anymore.

In addition, configuration can lead to insecurities. If you set a four-character password on the administrative account of a device, it can be fully up to date, yet wildly insecure - because it's trivially breakable trough intended mechanisms.

In your case, where a employer wants to ensure that devices are secure, this is done in the process fashion. You have a management environment, typically Active Directory and System Center, that enforces things like Windows updates, patching and security policies.

It ensures that users cannot choose four character passwords. It forces installation of updates. It disallows enabling RDP, and so forth, thereby reaching a secure state. But the security is achieved through the process, and the state is a moving target.

vidarlo
  • 12,850
  • 2
  • 35
  • 47