The trusted device that wasn't

The scenario:

• Compliant device. Valid certificate. Malware running underneath.

  
  

• Device trust policies verify configuration - is the firewall on, is the disk encrypted, is the OS patched. They don't verify that the device isn't already compromised. An attacker who owns the endpoint can often maintain compliance while exfiltrating data, because the malware operates below the compliance checks.

  
  

• This creates false confidence. The device meets policy, so it's trusted. But policy compliance is point-in-time. The device that was clean this morning might be compromised by lunch. And sophisticated malware specifically avoids triggering the controls that would fail compliance.

  
  

• Layer beyond device compliance by monitoring device behaviour, not just configuration. Look for unusual data access patterns, unexpected network connections, and process anomalies. Implement zero trust principles that verify continuously, not just at connection time. Assume devices can be compromised and design access controls accordingly.

  
  

• Device trust is a starting point, not an endpoint. The policies that gate access need to be paired with monitoring that catches what policies miss.