US Federal Agencies are one of the most favorite targets of Advanced Persistent Threats, such as State Actors. A significant cause of these breaches is because of weak cloud security, insider threats, risky supply chain, and implicit trust granted to a user or system once it is authenticated and authorized.
Cyber defense requires greater speed and agility to outpace our adversaries, increase resiliency, build response capabilities to recover immediately while significantly raising the time and cost to these adversaries.
There are various Zero Trust (ZT) standards, such as from NIST, NSA and DoD, but how can an organization implement ZT incrementally to mature their Zero Trust capability?
That’s where DHS CISA Zero Trust Maturity Model comes in handy for developing a roadmap to ZT maturity.
There are three stages used to identify maturity in your ZTA, and they are Traditional, Advance, and Optimal.
ZTA should always be evolving and adapting, while meeting the quota of “least privilege to complete the necessary work”.
In the following sections, we will discuss how we can implement the five pillars of the Zero Trust model using ZTMM. Each section will detail the level of maturity and what you can expect to see in terms of ZT implementation.
Traditional cybersecurity authenticates identity using either passwords or multi-factor authentication (MFA). For risk assessments, agencies make limited determinations for identity risk, and would segment users' activities with basic and static attributes. Agencies would manually audit identities and permissions after initial provisioning using static technical enforcement of credential policies.
For an Advance cybersecurity maturity level in Zero Trust, agencies have moved towards automation and multiple checks on identity and use MFA over single passwords, and monitor some cloud environments along with on premise systems. Simple analytics and static rules determine risk assessments. Policy based automated access revocation emerges, and there are absolutely no shared accounts.
For Optimal maturity level, your organization has reached a state of continuously validating identity, not just when initially granted. Agencies analyze user behavior in real time, using machine learning algorithms to determine risk and deliver ongoing protection. Agencies centralize user visibility with high fidelity attributes and user and entity behavior analytics (UEBA).
Organizations fully orchestrate the identity lifecycle dynamic user profiling, dynamic identity and group membership, just-in-time and just-enough access controls are implemented. This ensures and leads to full automation enforcement of policies, with updates to policies reflecting new orchestration options.
For traditional cybersecurity practices, agencies have limited visibility into device compliance. Agencies manually define and enforce device acquisition channels and establish and implement inventory frequency policy. Device retirement requires extensive sanitation to remove residual access and data.
Advanced Zero Trust maturity moves towards automation and constant monitoring. Agencies use automated methods to manage assets, identify vulnerabilities and patch assets, and reconcile device inventories against sanctioned lists with isolate non-compliant components.
Devices are provisioned using automated, repeatable methods with policy-driven capacity allocations and reactive scaling. Devices natively support modern security functions in hardware.
Optimal ZT constantly monitors and validates device security posture. Access to data considers real-time risk analytics about devices, and integrates asset and vulnerability management across all agency environments, including cloud and remote workspaces.
Agencies continuously run device posture assessments (endpoint detection and response or EDR). Device capacity and deployment use continuous integration and continuous deployment (CI/CD) principles with dynamic scaling. Devices permit data access and use without resident plain-text copies, reducing asset supply chain risks.
Network architecture marks traditional maturity using a large perimeter or macro-segmentation. Agencies base threat protections primarily on known threats and static traffic filtering, explicitly encrypting minimal internal traffic. Agencies will use manual policies to identify sanctioned networks, devices, and services, with manual discovery and remediation of unauthorized entities.
Advanced network maturity is defined by more of their network architecture by ingress/egress micro-perimeters with some internal micro-segmentation. Agencies include basic analytics to proactively discover threats, and encrypt all traffic to internal applications, as well as some external traffic. Organizations integrate analysis across multiple sensor types and positions with manual policy-driven alerts and triggers, using automated workflows to manually initiate network and environment changes.
Optimal Network maturity architecture comprises fully distributed ingress/egress micro-perimeters and deeper internal micro-segmentation based around application workflows. Organizations integrate machine learning-based threat protection and filtering with context-based signals. All traffic to internal and external locations is encrypted where possible. Analysis across multiple sensor types and positions with automated alerts and triggers, and network environment configurations use infrastructure-as-code, with pervasive automation, following (CI/CD) deployment models.
Agencies that are in a traditional phase of maturity access applications primarily based on local authorization and static attributes. Agencies have legacy policies and conduct manual enforcement for software development, software asset management, security tests and evaluations (ST&E) at technology insertion, and tracking software dependencies.
Organizations that are in the advanced stage of maturity in ZT have access to applications that rely on centralized authentication, authorization, monitoring, and attributes. All cloud applications and some on-premises applications are directly accessible to users over the internet, with all others available through a VPN. Organizations are integrating application security testing into the application development and deployment process, including the use of dynamic testing methods.
Optimal maturity for application workload continuously authorizes access to applications, considering real-time risk analytics. This includes strongly integrating threat protections into application workflows, with analytics to provide protections that understand and account for application behavior. All applications are directly accessible to users over the internet. Agencies integrate application security testing throughout the development and deployment process, with regular automated testing of deployed applications, performing continuous and dynamic application health and security monitoring with external sensors and systems. Applications adapt to ongoing environmental changes for security and performance optimization. Organizations update policies and have dynamic enforcement.
The data pillar at the traditional phase of maturity manually categorizes data and has poor data inventorying, leading to inconsistent categorization. Agencies govern access to data by using static access controls and primarily store data in on-premises data stores and where they are decrypted at rest. Data categorization and data access authorizations are largely defined by distributed decision making.
With optimal maturity, data is continuously inventoried by robust tagging and tracking. Agency augments categorization with machine learning models. Agency’s access to data is dynamic, supporting just-in-time and just-enough principles, and continual risk-based determinations. All data at rest is encrypted. An agency’s data is inventoried and can always be accounted for.
Organization logs and analyzes all access events for suspicious behaviors and perform analytics on encrypted data. Organizations automatically enforce strict access controls for high-value data. All high-value data is backed up regardless of its storage location. Data inventories are automatically updated; simultaneously, data protections required by policy are automatically enforced. Data categorization and data access authorizations are defined using a fully unified approach that integrates data, independent of the source.
At an advanced phase of maturity, organizations primarily inventory data manually with some automated tracking. Access to data is governed using the least privilege controls that consider identity, device risk, and other attributes. Agencies store data in cloud or remote environments where they are encrypted at rest. Data protections are enforced through mostly technical and some administrative controls.