The CISA Zero Trust Maturity Model Series – Part 2: Devices

CISA’s maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data) with each pillar having three stages of maturity: traditional, advanced and optimal. As covered in the previous blog and in our Zero Trust Thirty podcasts (most recently Zero Trust for Critical Infrastructure), Identity is the key first step in any Zero Trust security journey. Tied closely is the second pillar, Device, which is covered here. 

The CISA Zero Trust Maturity Model: Scaling security to meet device overload

In the Device pillar, optimal maturity translates to constant security monitoring and device validation, as well as data access that is wholly dependent on real-time risk analytics:

1. Compliance monitoring: Constant monitoring and validation of device security posture
2. Data access: Considers devices’ real-time risk analytics
3. Asset management: Asset and vulnerability management integration across all agency environments, including cloud and remote
4. Visibility and analytics capability: Continuous device posture assessments
5. Automation and orchestration capability: Device capacity and deployment uses continuous integration and continuous deployment (CI/CD) principles with dynamic scaling
6. Governance capability: Devices permit data access and use without resident plain-text copies, reducing asset supply chain risks

If this feels like another way of saying, “who, what, why, where and when,” it is. CISA has outlined a core set of principles that enables dynamic interaction with the device so agencies can understand the state of security at connection and throughout each interaction. This allows them to adjust access privileges dynamically and automatically, ensuring that the user and the device only gain access to what they need and are authorized for at any given time.

Traditional solutions only go so far

With Zero Trust access, a user’s device is not granted access to the network by default. It must first be authenticated, and then given limited access to authenticated resources once dynamic policies and entitlements are provisioned. Then, importantly, the device must be continuously monitored—based on the user’s role, device security posture, location, time and date, and a range of other conditional requirements—to determine if access privileges should be adjusted or revoked entirely.

These dynamic, meta-driven surgical entitlements are conditional and based on context and risk tolerance defined by the enterprise. This is infinitely more secure than relying solely on identity and a static username/password combination (with no device element at all). A “log-in and done” method essentially gives a cyberattacker the keys to the kingdom if they can gain access through a device.

While traditional tools like Network Access Controls (NACs) can provide device discovery and perform configuration checks, they are not capable of creating and enforcing a dynamic policy model to control network access. For example, many NACs can query a device to determine whether it has the required anti-virus solution required by policy. This information is then used to determine whether to allow the device to connect. Unfortunately, this does not meet the #1 requirement to reach optimal maturity in the Device pillar. Specifically, NACs are not presently capable of continuously monitoring a device and use a variety of attributes to terminate or adjust access.

Dynamic and context-aware

What’s needed is a dynamic and context-aware approach such as that offered by Appgate SDP, an industry-leading Zero Trust Access solution used by federal government agencies as they modernize their IT environments, move to the cloud and work to comply with new cybersecurity requirements.

Appgate SDP is 100% identity-centric and seamlessly integrates with organizations’ existing identity management and endpoint tools, tying users and devices together through several unique capabilities:

• Off-the-shelf device posture checking: For devices without enterprise endpoint protection, a deep posture check is critical to limiting risky devices.
• Endpoint detection enhancement: If a device becomes risky after the initial access request, Appgate SDP monitors the ongoing device risk in near real-time and removes entitlements if risk goes up after initial access is granted.
• Lateral movement reduction: Appgate SDP’s micro-segmentation capabilities allow organizations to match each identity (user + device) with their entitlements so that access is granted only to permitted resources. Everything else is invisible, preventing lateral movement on the network even if any attacker were to gain entry via a compromised device.
• Elimination of the “hammer and nail” approach: Traditional, siloed endpoint protection solutions risk impacting workforce productivity by forcing admins to take risky devices offline while conducting further investigation, rendering users unable to do meaningful work. Appgate SDP provides an alternative approach by allowing organizations to dynamically adjust entitlements to reduce exposure to critical resources. This lets users continue to work, with limited access, while greatly reducing risk.

Advancing on your Zero Trust security journey can require myriad cybersecurity tools. An integrated Zero Trust access solution like Appgate SDP can serve as the glue binding these tools together. As the device landscape grows more complex and crowded, this approach can help you accelerate Zero Trust maturity while keeping user productivity intact.

More About Alignment to the CISA Device Pillar

The CISA Zero Trust Maturity Model is a system that validates identities and authenticates devices to prevent data breaches. Agencies need to ensure that these devices are secure and have visibility into the devices themselves. The CISA Device Pillar provides security processes that agencies need to implement and performance metrics to ensure the continual assurance of device security. These include:

• Developing a device-centric strategy and associated risk management plan
• Improving access control mechanisms by using multifactor authentication
• Establishing procedures for monitoring and detecting anomalies
• Conducting regular patch management to reduce the risk of vulnerabilities
• Implementing secure configurations for devices, networks, and operating systems
• Ensuring the use of encrypted communications whenever possible
• Establishing incident response plans to address any security issues that arise quickly
• Training employees on best practices for device security

By taking these CISA Zero Trust measures into account, agencies can ensure that their devices are up-to-date and secure. This helps protect the agency against malicious actors and keeps sensitive data safe. It also assures citizens that their information is being handled responsibly and securely. The CISA Device Pillar is an important part of any organization's cybersecurity strategy, and it helps agencies keep their critical data safe.

Did you know that Appgate SDP is the first and only Common Criteria Certified Zero Trust Network Access solution?

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division. 

Continue learning about CISA's Zero Trust Maturity Model by reading blogs on pillars three - five: Network, Application Workload and Data. 

Additional Zero Trust security resources: 

Blog: The CISA Zero Trust Maturity Model Series — Part 1: Start with Identity
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Webinar: Zero Trust for critical infrastructure