Leo TaddeoMarch 25, 2022
The CISA Zero Trust Maturity Model Series – Part 2: Devices
If people are the new perimeter, then the devices they use are more important than ever.
We recently kicked off a blog series exploring the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model, which underpins the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.
CISA’s maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data) with each pillar having three stages of maturity: traditional, advanced and optimal. As covered in the previous blog and in our Zero Trust Thirty podcasts (most recently Zero Trust for Critical Infrastructure), identity is the key first step in any Zero Trust security journey. Tied closely is the second pillar, Device, which is covered here.
Scaling security to meet device overload
In the Device pillar, optimal maturity translates to constant security monitoring and device validation, as well as data access that is wholly dependent on real-time risk analytics:
- Compliance monitoring: Constant monitoring and validation of device security posture
- Data access: Considers devices’ real-time risk analytics
- Asset management: Asset and vulnerability management integration across all agency environments, including cloud and remote
- Visibility and analytics capability: Continuous device posture assessments
- Automation and orchestration capability: Device capacity and deployment uses continuous integration and continuous deployment (CI/CD) principles with dynamic scaling
- Governance capability: Devices permit data access and use without resident plain-text copies, reducing asset supply chain risks
If this feels like another way of saying, “who, what, why, where and when,” it is. CISA has outlined a core set of principles that enables dynamic interaction with the device so agencies can understand the state of security at connection and throughout each interaction. This allows them to adjust access privileges dynamically and automatically, ensuring that the user and the device only gain access to what they need and are authorized for at any given time.
Traditional solutions only go so far
With Zero Trust access, a user’s device is not granted access to the network by default. It must first be authenticated, and then given limited access to authenticated resources once dynamic policies and entitlements are provisioned. Then, importantly, the device must be continuously monitored—based on the user’s role, device security posture, location, time and date, and a range of other conditional requirements—to determine if access privileges should be adjusted or revoked entirely.
These dynamic, meta-driven surgical entitlements are conditional and based on context and risk tolerance defined by the enterprise. This is infinitely more secure than relying solely on identity and a static username/password combination (with no device element at all). A “log-in and done” method essentially gives a cyberattacker the keys to the kingdom if they can gain access through a device.
While traditional tools like Network Access Controls (NACs) can provide device discovery and perform configuration checks, they are not capable of creating and enforcing a dynamic policy model to control network access. For example, many NACs can query a device to determine whether it has the required anti-virus solution required by policy. This information is then used to determine whether to allow the device to connect. Unfortunately, this does not meet the #1 requirement to reach optimal maturity in the Device pillar. Specifically, NACs are not presently capable of continuously monitoring a device and use a variety of attributes to terminate or adjust access.
Dynamic and context-aware
What’s needed is a dynamic and context-aware approach such as that offered by Appgate SDP, an industry-leading Zero Trust Access solution used by federal government agencies as they modernize their IT environments, move to the cloud and work to comply with new cybersecurity requirements.
Appgate SDP is 100% identity-centric and seamlessly integrates with organizations’ existing identity management and endpoint tools, tying users and devices together through several unique capabilities:
- Off-the-shelf device posture checking: For devices without enterprise endpoint protection, a deep posture check is critical to limiting risky devices.
- Endpoint detection enhancement: If a device becomes risky after the initial access request, Appgate SDP monitors the ongoing device risk in near real-time and removes entitlements if risk goes up after initial access is granted.
- Lateral movement reduction: Appgate SDP’s micro-segmentation capabilities allow organizations to match each identity (user + device) with their entitlements so that access is granted only to permitted resources. Everything else is invisible, preventing lateral movement on the network even if any attacker were to gain entry via a compromised device.
- Elimination of the “hammer and nail” approach: Traditional, siloed endpoint protection solutions risk impacting workforce productivity by forcing admins to take risky devices offline while conducting further investigation, rendering users unable to do meaningful work. Appgate SDP provides an alternative approach by allowing organizations to dynamically adjust entitlements to reduce exposure to critical resources. This lets users continue to work, with limited access, while greatly reducing risk.
Advancing on your Zero Trust security journey can require myriad cybersecurity tools. An integrated Zero Trust access solution like Appgate SDP can serve as the glue binding these tools together. As the device landscape grows more complex and crowded, this approach can help you accelerate Zero Trust maturity while keeping user productivity intact.
For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.
Additional Zero Trust security resources:
UPCOMING WEBINAR: Zero Trust is Not One Size Fits All
Blog: The CISA Zero Trust Maturity Model Series — Part 1: Start with Identity
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Webinar: Zero Trust for critical infrastructure