The CISA Zero Trust Maturity Model Series – Part 5: Data

CISA’s Zero Trust Maturity Model underscores the guidelines set forth by the U.S. Office of Management and Budget (OMB) in its final strategy for federal agencies to move toward a Zero Trust security architecture by the end of fiscal year 2024.

The maturity model focuses on Zero Trust security implementation across five key pillars (Identity, Device, Network, Application Workload and Data,) with each pillar having three stages of maturity (Traditional, Advanced, and Optimal). Today, in our last installment in this series, we cover pillar #5: Data.

Striking the balance between access and protection

Data is the crown jewel of most organizations, including federal agencies. As with the other pillars, CISA provides guidance in each of three maturity stages: Traditional, Advanced and Optimal. CISA focuses on the following elements in the data pillar:

• Inventory management
• Access determination
• Encryption
• Visibility and analytics capability
• Automation and orchestration capability

Protecting data requires some form of tagging, metadata and classification. Where possible, labeling and tagging should be elements of context for Zero Trust policies. For example, organizations can achieve a higher level of maturity (up to Optimal) by feeding tags into Zero Trust role-based access control (RBAC) or attribute-based access control (ABAC) policies. As a more specific example, when all customer data is properly labeled, access to that data can be restricted to individuals who need access (e.g. “Customer Care Team”).¹

In addition, data passes through various stages within its lifecycle, such as data at rest, in motion, in use and destruction. Since no single cybersecurity vendor can solve for all guidance provided across pillars by CISA, the key is to choose solutions that integrate well to enable interactions between layers. For instance, while a software-defined perimeter (SDP) is not an encryption at rest solution, it does provide very robust protection against man-in-the-middle attacks for data in motion via Mutual Transport Layer Security (mTLS). This protection when combined with encrypted data at rest provides a much stronger data encryption and protection architecture.

Most organizations will be well-served to select best-of-breed solutions that provide superior security at each layer, integrate across the stack in near real-time and dynamically adjust as needed.

Key takeaways across the pillars

As we wrap up this series and examine the data pillar, as well as the full CISA Zero Trust Maturity Model, it’s important to remember that data security—like application workload security—starts further down the stack. Tight integration with layers 3 and 4—Network and Transport, respectively, in the Open Systems Interconnection (OSI) stack—will help advance Zero Trust maturity.

Old security technologies like virtual private networks offer inadequate protection, as they essentially provide access to large segments of the network once a user is authenticated; an attacker does not need to get to the data layer to cause trouble. They can find the most open and exposed places and then move laterally through the organization’s resources.

Implementing a Zero Trust Network Access (ZTNA) solution that integrates with the application workload and data layers helps organizations generate much more useful threat data. If an anomaly is detected at the network or data level, the connection at the network layer can be terminated. If your Zero Trust security technologies are connected across these layers, your threat vector intelligence will be much stronger, giving you a unified view of your security posture and enabling more automated protection.

Appgate SDP, an industry-leading ZTNA solution, can help agencies accelerate their Zero Trust implementation across the CISA Zero Trust Maturity Model by:

• Cloaking network infrastructure: Appgate SDP leverages single packet authorization (SPA) to actively close ports, making them and the resources they allow entry to invisible and preventing lateral movement in case of a breach
• Using identity-centric policies: Appgate evaluates each user’s identity, device and contextual risk as criteria for secure access
• Encrypting data in motion: Encryption is a critical part of the data pillar. All Appgate SDP communications are natively FIPS 140-2 encrypted and leverage Mutual Transport Layer Security (mTLS) to ensure that the parties at each end of a network connection are who they claim to be
• Ensuring dynamic and continuous policy enforcement: Appgate SDP monitors and modifies access automatically based on context and risk changes throughout each user/device interaction
• Micro-segmenting the network: Appgate SDP ensures that users and devices only have access to the resources they are authorized to see
• Providing integration flexibility: Appgate SDP’s API-first technology easily integrates with the rest of your security stack to provide greater visibility and unified policy enforcement

For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.

1. Zero Trust Security, An Enterprise Guide, Garbis and Chapman.

Additional resources

Blog: The CISA Zero Trust Maturity Model Series—Part 1: Start with Identity
Blog: The CISA Zero Trust Maturity Model Series—Part 2: Devices
Blog: The CISA Zero Trust Maturity Model Series—Part 3: Network
Blog: The CISA Zero Trust Maturity Model Series—Part 4: Application Workload
Blog: Control access with identity-centric micro-perimeters
Blog and Podcast: Zero Trust for critical infrastructure