By Nancy Peaslee
Is Your Agency in Compliance with the CISA Zero Trust Security Model?
You’ve probably heard the cybersecurity term Zero Trust. But, do you know what it is and how it can help you better secure your organization’s data and IT assets so you can be in compliance with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity (Executive Order 14028)?
The Basics: What is Zero Trust and The Tenets of Zero Trust
What is Zero Trust (ZT)?
Zero Trust is a cybersecurity model defined by John Kindervag, a vice president and principal analyst at Forrester Research in 2009. The cybersecurity model is based on the strategy: Never trust, always verify, which views trust as a vulnerability that must be continually evaluated in a modern IT network.
Sometimes known as perimeter-less security, the tenets of Zero Trust1 describe an approach to the design and implementation of IT systems. As the complexity of IT systems and assets scale overtime in an enterprise, a comprehensive Zero Trust strategy can provide a clear plan for scaling.
The Tenets of Zero Trust
- All data sources and computing services are considered resources. An enterprise may also decide to classify personally owned devices as resources if they access enterprise-owned resources.
- All communication is secured regardless of network location. It should also be handled in the most secure manner available, protect confidentiality and integrity, and provide source authentication.
- Access to individual enterprise resources is granted on a per-session basis. Access should also be granted with the least privileges needed to complete the task.
- Access to resources is determined by dynamic policy – including the observable state of client identity, application/service, and the requesting asset – and may include other behavioral and environmental attributes.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets. This, too, requires a robust monitoring and reporting system in place to provide actionable data about the current state of enterprise resources.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
Zero Trust Architecture (ZTA)
Zero Trust Architecture focuses on users, assets, and resources based on the premise that nothing can be trusted, regardless of where your assets are or where your users are located (physical or network location). Everything is seen as a threat requiring verification.
Zero Trust cybersecurity paradigms move defenses from static, network-based perimeters to focus on users, assets, and resources. This network trend includes a Zero Trust response to enterprise network trends with remote users, bring your own device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary.
Microsegmentation Practices Scale with the Enterprise
Microsegmentation supports the tenets of Zero Trust and can be thought of as partitioning authentication and authorization prior to a session, for a specific resource. It enables security teams to look at protecting specific resources, not network segments.
Since there is an inherent assumption that an attacker is in the network, the security team looks to asset protection to prevent data breaches and limit lateral movement. Think about it. Some of the most damaging data breaches have been caused by the ability for an adversary to move around within a network. By using Zero Trust practices, such as locking down individual resources, we are creating obstacles to that movement.
Microsegmentation granular, consistent, and scalable approaches within an enterprise will meet the cybersecurity needs of the future.
Goals to Consider for Your Zero Trust Strategy
Zero Trust is a journey to implement, and while there are many tools available, there is no one single or simple plug-in solution.
There are many aspects to consider that help to define your goals in defining a Zero Trust Strategy:
- Comprehensive review, analysis, and modification of existing cybersecurity policies
- Determination of who (or what systems) to allow access to specific assets or information
- Establishment of allowable communication paths, or internal zones within the enterprise, keeping access rules as refined as possible
- Implementation of the ability to allow or deny sessions
- Continuous enforcement of policies, as well as the ability to monitor, track, and analyze all transactions and access rules within the infrastructure
How to Start Planning Your Strategy
Is your government agency working on a strategy to meet the requirements of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model that outlines compliance with the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity?
Before implementing fully to Zero Trust, you can get started with these steps:
- Inventory all of your IT assets – check out these pointers on IT asset management
- Identify who/what (consider both people and systems) should have access to assets and information. By understanding your resources and information, you can work toward restricting resources to those with a need to have access and provide only the minimum privileges.
- Document current operational workflows, including infrastructure, process flow and information flow
- Map the flow of data across the enterprise to define your architecture and information configuration
As you get started with your approach, it should be designed in conjunction with a standard managed risk approach to better secure your modern IT infrastructure. Zero Trust is a major investment in visibility and analytics and there are many factors that contribute to its successful implementation. Government agencies are entering the execution phase of Biden’s cybersecurity executive order.
Contact us today to learn how Graham Technologies can help your government agency understand and apply the cybersecurity tenets of Zero Trust.
1Source: Zero Trust Architecture, NIST Special Publication 800-207, August 2020