Government commitment to zero trust implementation has risen significantly as evidenced by Biden’s executive order on cybersecurity this year, along with recent guidance from the Office of Management and Budget and the Cybersecurity and Infrastructure Security Agency that provide a roadmap for federal civilian agencies to securely migrate to cloud architectures and implement zero trust strategies.
CISA’s Zero Trust Maturity Model is designed to help agencies comply with the zero trust requirements of the executive order by providing a practical and technical roadmap that agencies can use as they move towards zero trust adoption. However, the process will not be easy for many agencies given the increased complexity of their IT environments and a lack of visibility into the growing volume of applications, workflows, data flows, and the interdependencies between them.
Successful zero trust implementation will be contingent on agencies’ understanding of basic zero trust principles, their understanding of the benchmarks outlined in CISA’s Zero Trust Security Model, and most importantly, visibility. The concept of visibility cannot be more underscored than when it comes to the zero trust journey. To truly engage with the steps outlined in the model, agencies will need to have a baseline that identifies and maps out all assets in the environment: Applications, workflows, data, data centers and their interdependencies. This will be critical, not just for understanding and using the CISA Zero Trust Maturity Model but also when it comes to implementing zero trust security controls.
Understanding CISA’s Zero Trust Maturity Model
CISA’s model represents a gradient of implementation across five distinct pillars based on the foundations of zero trust, where organizations can make advancements over time toward optimization. Each pillar is meant to provide agencies with examples of a traditional, advanced, and optimal zero-trust architecture, with details regarding visibility and analytics, automation and orchestration, and governance. The pillars are:
Organizations leveraging the CISA model will have the opportunity to increase their reliance on automation, allowing them to become more dynamic and accurate in their policy enforcement decisions.
How to use CISA’s Zero Trust Maturity Model and the role of visibility
Organizations will rightly begin their journey by focusing on their most critical functions and sensitive data. To do so accurately they must first scope and map the interdependencies of these functions in order to understand the attack surface, business dependencies, and scope of assets requiring protection. This is where visibility plays a key role. Once the functions have been mapped then modern zero trust architecture (ZTA) approaches utilize this knowledge to compute security control policies for assessment and testing, and can drive them into the enforcement controls associated with the organization’s computing environments, which will become increasingly heterogeneous with the move to cloud. Reaching this point is not the end of the story because in the modern cloud computing architectures, applications and their interdependencies are constantly changing and the ZTA solution needs to be able to recognize and accommodate those changes. This is why dynamic visibility will eventually be required. Data driven automation is the key to managing applications delivering critical business functions through their ZTA lifecycle.
The actual implementation can be overwhelming though, as agencies try to decode the complicated requirements outlined. However, the CISA Zero Trust Maturity Model looks to make this easy through specific steps to take as a starting point. The steps include:
Identify actors on the enterprise.
Identify assets owned by the enterprise.
Identify key processes and evaluate risks associated with executing process.
Formulating policies for the ZTA candidate.
Identifying candidate solutions.
Initial deployment and monitoring.
The key takeaway from these steps is each of them leads with one core piece: visibility. Visibility into actors, assets, processes and their relationships. Zero Trust presents a shift from a location-centric model to a more identity and data-centric approach for fine-grained security controls between users, systems, data and assets that change over time. For these reasons, moving to a ZTA is non-trivial, and provides the visibility needed to support the development, implementation, enforcement and operation of security policies.
To implement zero trust correctly, it mandates significant investment in visibility and analytics across an organization. Not investing in proper visibility can lead to delays or worse, failure, due to the fact you cannot protect what you can’t see.
Marc Woolward is the chief technology officer and chief information security officer of vArmour, and Kate Kuehn is the senior vice president of Business Development for vArmour.
Cyber EO’s deadlines for zero trust and MFA are behind us. So what’s next?