Leo TaddeoApril 8, 2022
The CISA Zero Trust Maturity Model Series – Part 3: Network
This is part three of a five-part series on the Cybersecurity and Infrastructure Agency’s CISA) Zero Trust Maturity Model. The two previous blogs covered the first two pillars (Identity and Device). This blog delves into pillar #3: Network. And the series concludes with blogs on pillar #4 Application Workload and pillar #5 Data.
CISA’s Zero Trust Maturity Model underpins the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.
The maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data,) with each pillar having three stages of maturity (traditional, advanced, and optimal). Today, we cover pillar #3: Network.
What is the CISA Zero Trust Maturity Model?
According to CISA’s maturity model, a network “refers to an open communications medium, including agency internal networks, wireless networks, and the Internet, used to transport messages.” At a high level, agencies will have achieved the following in each stage of the Network pillar:
- Traditional: large macro-segmentation; minimal internal or external traffic encryption
- Advanced: defined by ingress/egress micro-perimeters; basic analytics
- Optimal: fully distributed ingress/egress micro-perimeters; machine learning-based threat protection, all traffic is encrypted
As they are advancing on their Zero Trust security journeys, it is important that agencies segment and control their networks and manage internal and external data flows.
Traditional tools, such as next-generation firewalls (NGFW), are no longer the best option to achieve advanced or optimal maturity in Pillar #3. NGFWs are not stateless; they have a consistent policy, which creates attack vectors. They are typically designed as single ingestion points—thereby creating congestion—and do not scale for performance compared to modern Zero Trust Network Access (ZTNA) solutions like Appgate SDP. While Appgate SDP can achieve 9 Gbps as a virtual service, NGFWs still suffer the same shared state issue as regular firewalls and therefore limit performance to sub 1Gbps.
Leveraging ZTNA solutions to achieve higher-level maturity
As IT environments become more complex—via growth in hybrid and/or multi-cloud infrastructure, device proliferation and remote work—and cyberthreats intensify, legacy network security solutions like VPNs are inadequate, as they essentially provide access to large segments of the network once a user is authenticated.
ZTNA solutions offer more fine-grained segmentation and protection and are now the industry-leading standard for secure enterprise access control. In fact, according to Gartner, “By 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.”1
ZTNA is based on the fundamental principle that no user—human or machine—should be automatically granted access to anything. With ZTNA, a user is denied access to networks and digital assets by default and is only permitted access after their identity (user + device + context) is extensively authenticated. More advanced Zero Trust Access solutions like Appgate SDP enable near real-time dynamic policies and entitlements which are granted to the identity, provisioning limited access to authorized resources. These surgical entitlements are continually validated, conditional and context-aware, helping an organization define their risk tolerance.
Microperimeters for segmented access
All users and devices, regardless of whether they are coming from inside or outside the network, should be treated as guests—i.e., put into café networks. Think of this as guest access VLAN for everyone, as if each user has gone to their local coffee house and jumped online via the guest network. This helps organizations:
- Move all users and devices off the network and use public internet for transport for anything from the outside to manage costs and improve performance
- Leverage encryption for all traffic, as directed in the Administration’s Cybersecurity Executive Order, to move the boundary out
- Eliminate man-in-the-middle attacks where an attacker intercepts communications between two parties
- Democratize the network to improve user access and experience
Appgate SDP—an industry-leading ZTNA solution—delivers dynamic and individually tailored access between the user and their assigned resources. This establishes a microperimeter that is specific to each user, their identity and the conditional entitlements assigned to them. These microperimeters are established using per user session-based micro-firewalls that only allow access to specifically granted resources, eliminating unsanctioned lateral movement.
All Appgate SDP communications are natively FIPS 140-2 encrypted and leverage Mutual Transport Layer Security (mTLS) to ensure that the parties at each end of a network connection are who they claim to be.
Attack surface reduction is a critical component of ZTNA, providing the first line of defense against adversaries. A ZTNA solution should leverage single packet authorization (SPA) to actively cloak ports, making them and the resources they allow entry to invisible and preventing lateral movement in case of a breach. In addition, segmenting the network is necessary to prevent an infected system from being used to compromise others in the same network.
Appgate SDP also addresses the following areas of CISA’s Network pillar:
- Threat protection: Appgate SDP’s built-in APIs allow it to natively integrate with any artificial intelligence (AI) solution using REST APIs to create context-aware network management
- Visibility and analytics: Since all Appgate SDP logs can be aggregated and reactions automated, it helps provide deep insight into patterns of user/device behavior
- Automation and orchestration: Appgate SDP can be fully deployed and managed as code. The SDP operator, SDP Sidecar client and API allow for Appgate SDP to run in DevSecOps, DevOps or automation deployment models (i.e., Terraform, Cloud Formations)
Why is the CISA Zero Trust Maturity Model Important?
The CISA Zero Trust Maturity Model is important because it provides a framework for organizations to measure their current security posture and make the necessary adjustments to implement a more secure environment. The CISA Zero Trust Maturity Model offers guidance to help organizations transition to a Zero Trust architecture within the time frame by OMB.
The CISA Zero Trust Maturity Model is also important because it helps organizations understand the various aspects of Zero Trust security, such as identity and access management, data governance, network segmentation, and more. Organizations can build a more secure environment that meets OMB's objectives by using the CISA Zero Trust Maturity Model to assess their current security posture and identify potential areas for improvement.
Appgate SDP is the first and only Zero Trust Network Access solution to achieve Common Criteria Certification.
For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.
Blog: The CISA Zero Trust Maturity Model Series—Part 1: Start with Identity
Blog: The CISA Zero Trust Maturity Model Series—Part 2: Devices
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Blog and Podcast: Zero Trust for critical infrastructure
1 Gartner Forecast Analysis: Enterprise Network Equipment, Worldwide, 26 October 2021 GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.