Edgewise is now part of the Zscaler family. Learn More

Aligning Edgewise with the NIST CSF (Part 2 of 5: Protect)

In the first blog post in this series we described how the Edgewise platform maps to the steps and recommendations included in the “Identify” section of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is an authoritative source for designing, maintaining, and enhancing enterprises’ cybersecurity program strategies, and as such, we at Edgewise are frequently asked how our technology aligns with the framework and/or helps organizations come up to speed with industry best practices.

This blog post endeavors to answer the above questions and describe, where appropriate, the means by which Edgewise can be a valuable resource in the process of achieving NIST CSF compatibility for protecting data, applications, services, and processes within companies’ hybrid clouds.



Source: https://www.nist.gov


The Second Core Function of the CSF is “Protect,” a term many consider synonymous with “security.” With “Identify” (the first Core Function) information in hand, organizations can now begin an assessment and application of preventative measures that proactively keep network workloads free from unauthorized activity.

Per the published guidance, elements of the Core Function “Protect” include:

“Identity Management, Authentication and Access Control: Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Awareness and Training: The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity related duties and responsibilities consistent with related policies, procedures, and agreements.

Data Security: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.

Maintenance: Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.

Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”

Core functions in “Protect” can be mapped to Edgewise in the following ways:

Stay on the cutting edge. Subscribe to our blog.

Identity Management, Authentication and Access Control: Edgewise is a zero trust platform, which means that by design system authorization and authentication are granted for users, processes, and devices only if strict verification criteria are met every time a connection request is sent or received. Unlike traditional network security tools, every communication in an Edgewise-managed environment is considered potentially compromised and is therefore untrusted, even if it was trusted to communicate previously. This “rechecking” process ensures that if users, devices, or processes are exploited after initial network permission is granted, traffic will be disallowed from further communication, effectively preventing the spread of malware and further compromise.

Edgewise accomplishes this by building a unique identity (i.e., fingerprint) for every communicating workload on the network. This identity determines and manages access permissions in an organization’s cloud, on-premises data center, or container, and also ensures that security policies can’t be separated from the communicating entity.

As such, linking to the CSF subcategories in this section:

  • Access permissions and authorizations in Edgewise are managed and audited, incorporating the principles of least privilege and separation of duties, based on workload identity.
  • Edgewise policies are bound to the identities of assets, and those identities are cryptographically secure, asserted, and continuously validated to ensure the integrity of the network.
  • By bidirectionally validating the identity of applications and services, Edgewise applies a second factor of authentication ("who you are") to software transactions ("what you know").

Awareness and Training: Although not a one-to-one match for the guidance in the NIST CSF, Edgewise uniformly enforces security policies and privileges throughout an organization’s myriad networks, independent of network location. As part of the zero trust methodology, least-privilege access is enforced for all users, devices, and processes based on identity, and system administrators can always see how security policies were applied to any application or service.

Though Edgewise cannot replace an organization’s security awareness and training program, it can help enforce the policies, procedures, and agreements defined by the organization and socialized through cybersecurity education.

Data Security: Protecting the confidentiality and availability of our customers’ data is the ultimate goal of the Edgewise platform. Edgewise works by constantly checking the integrity of software, firmware, and applications as they communicate throughout the network. Based on software/service identity, Edgewise uses machine learning to build and recommend adaptive security policies that are:

  • Inseparable from the workload (at rest and in transit).
  • Environment agnostic (i.e., do not rely on network constructs like IP address, port, or protocol).
  • Able to:
    • automatically detect when protected workloads have been altered;
    • prevent them from communicating; and
    • limit ensuing system damage which could lead to data leaks, system or data unavailability, or compromise the confidentiality or integrity of information.

Unauthorized access to and tampering with data in transit is prevented because only authorized programs can communicate with database and file services. Similar restrictions are applied throughout the entire chain of custody for all connected (or potentially connected) software. As a result, when coupled with encryption tools that protect data at rest, Edgewise enables organizations to satisfy NIST CSF risk requirements around data security.

Information Protection Processes and Procedures: As soon as the Edgewise agent is deployed in an organization’s network environment, Edgewise begins discovering, mapping, and visualizing communicating workloads. A risk rating is then created based on the current network attack surface and compared to the reduction that can be achieved after applying Edgewise policies. In this way, Edgewise provides a baseline of “normal” network communications and highlights anomalies when they appear, which allows companies to continually reassess the efficacy of the Edgewise platform as a protection mechanism. Doing so means that the organization can consistently evaluate how it is managing the security program to maintain processes and procedures that address vulnerabilities and prevent large-scale information system and asset exploitation by malicious actors.

Further, Edgewise enables consistent information security policies, processes, and procedures related to organizations’ data assets, from application development through deployment and ongoing use, and across any network environment (public cloud, hybrid cloud, on-premises data center, container). Unlike traditional network security controls, which are defined by network addresses and packet information, Edgewise protects information systems and assets based on application identity. This means that application owners/developers and network/security practitioners share one, common language to both define and apply policy, which results in consistent change control processes when topological changes to an environment occur.

Maintenance: This category in the CSF cannot be mapped directly to Edgewise, as “maintenance and repairs” are outside the scope of our technology. However, Edgewise allows companies to monitor their network environments for any modified application, host, or service communication, which means that potential malicious activity can be easily remediated. Edgewise policies are resilient to authorized changes so that protection continues even during maintenance issues.

Protective Technology: Edgewise was built expressly to address this category. Starting with subcategory 1, Edgewise provides a detailed auditing system that logs all changes to the Edgewise system as well as the impact of all Edgewise security policies. In addition, Edgewise captures and audits all application communication, which includes not only network address/port/protocol information, but also the identity of the software involved in the transactions. This information is provided in both the Edgewise Console as well as available through a secure and authenticated REST API where it can be integrated into other systems like SIEM and log management tools.

Moving down through the NIST recommendation to address subcategories 3 and 4, as a zero trust platform, Edgewise always enforces the principle of least privilege, which means that only essential and verified assets can connect in an organization’s network, and only with the lowest level of authorization required for them to function properly. This, in turn, reduces the risk that network communications pose to the organization.

Further, because all communication in an Edgewise-enabled organization is protected based on workload identity, security control cannot be decoupled from the workload, and all communications are automatically mapped. The mapping process results in an audit trail that administrators can use to align technical controls with policy, evaluate the impact applied policies have had on the environment, and ensure blind spots in protection coverage don’t exist.

Finally, in accordance with subcategory 5, Edgewise security policies fully support load balancers and failover situations. Because policies are based on identity and not IP addresses, additional systems (for high load) or backup systems (for failover) automatically inherit and apply the security policies based on the software running on those systems. If parts of the network fail and need to be rerouted, Edgewise policies continue to operate because they are dependent on source and destination identities, not the physical route in between. In this way, security policies are resilient to both expected and unexpected change.

The wrap up

Edgewise takes a workload identity-based approach to securing software and services in enterprises’ on-premises, cloud, and container environments. Using our patented technology to bidirectionally authorize and authenticate every workload before it’s allowed to connect, Edgewise ensures organizations have the most hardened level of protection for applications, hosts, users, and services communicating on their networks.

In the next post we’ll explain Edgewise helps organizations detect malicious activity, an important element of any comprehensive security program.

Katherine Teitler, Director of Content

Written by Katherine Teitler, Director of Content

Katherine Teitler leads content strategy and development for Edgewise Networks. In her role as Director of Content she is a storyteller; a translator; and liaison between sales, marketing, and the customer. Prior to Edgewise, Katherine was the Director of Content for MISTI, a global training and events company, where she was in charge of digital content strategy and programming for the company's cybersecurity events, and the Director of Content at IANS, where she built, managed, and contributed to the company's research portal.