Episode 11: Remote Attestation Helps Zero Trust

Remote Attestation Helps Zero Trust

Zero trust is an important information security architectural shift. Cyber breaches have increased in intensity, frequency and most alarmingly, impact, causing many organizations to try to figure out how to manage continuous cyber threats, while still communicating and maintaining trust to their stakeholders. Attestation can provide system-level remediation and resiliency, while ensuring transparency of compliance with industry security controls and benchmarks.

In this edition of Cybersecurity Where You Are, host and CIS Chief Information Security Officer (CISO), Sean Atkinson welcomes guest Kathleen Moriarty, Chief Technology Officer (CTO) at CIS. Together, the duo discuss attestation in terms of hardware and software, and the process of performing a posture assessment.

This week’s Cybersecurity Where You Are podcast highlights:

  • Automated attestation processes
  • Vendor attestation capabilities
  • Root of trust via Trusted Platform Module (TPM)
  • Method of verification for zero trust
  • Attestation at Scale


As we consider posture assessment across systems, scale is imperative…so is the overall effectiveness of controls. Security assessment controls are typically specific to a software package or operating system as you go up the stack.

Attestations are typically used within a system; they’re designed to be validated, providing assurance across the full set specified for the component to include: hardware, firmware, software, and libraries. It’s important to perform this validation on a system and allow for remediation to occur if necessary. Remediation may be limited to notification in some cases if it could cause an impact to availability. Once the full set of attestations can be validated on a system, a single attestation may be created to assert the assurance level assessed by the local verification process. This attestation on the set of controls, verified with local attestation, could then be made available as a remote attestation.

Remote attestation and zero trust

Zero trust begins with infrastructure assurance; it has become pervasive up the stack and across applications. A hardware root of trust (RoT) is immutable with a cryptographic identity bound to the Trusted Platform Module (TPM).

Attestations are signed by a RoT at each stage of the boot process and are used to both identify the relying components as well as to provide an assurance of trust. At the very basic level, attestations identify the system and components are working as required. The dependencies may be chained or may be verified individually. These attestations are also provided at runtime, supporting the zero trust requirement for dynamic authentication and access control. Attestations aid in the requirement to verify identity of components, essential for providing assurance of said component.

The Atkinson 9

Tune in to this week’s Cybersecurity Where You Are podcast for the “why” behind Kathleen Moriarty’s answers to the infamous “Atkinson 9”:

  1. What is your favorite CIS Control?
    Moriarty: CIS Control 1 – Inventory and Control of Enterprise Assets
  2. What is your least favorite part of your profession?
    Moriarty: It keeps me up at night.
  3. Why do you like the cybersecurity industry?
    Moriarty: It’s a constant challenge.
  4. Why don’t you like cybersecurity?
    Moriarty: The inefficiencies that we have right now.
  5. What source of data log or telemetry do you not like?
    Moriarty: I don’t like that we have to do translation engines in between every format because nothing aligns.
  6. What is the biggest waste of time in cybersecurity?
    Moriarty: Pass
  7. What profession other than your own would you like to attempt?
    Moriarty: None; I have a passion for information security.
  8. What profession would you avoid?
    Moriarty: Compliance.
  9. At the end of your career, how would you like to be remembered?
    Moriarty: That I made an impact.

Episode Resources