Leo TaddeoMarch 10, 2022
The CISA Zero Trust Maturity Model Series – Part 1: Start With Identity
People are the new perimeter—and they need intelligent secure access. This is Part 1 of a five-part series on the CISA Zero Trust Maturity Model pillars. For parts 2 - 5 delve into CISA's Device, Network, Application Workload and Data pillars.
Early this year, the U.S. Office of Management and Budget (OMB) issued the final strategy for federal agencies to move toward a Zero Trust security architecture, requiring them to meet specific cybersecurity objectives by the end of fiscal year 2024. This strategy expands on the guidelines set forth in the White House Executive Order on Improving the Nation’s Cybersecurity, released in May of last year.
The federal strategy underscores the government’s commitment to radically evolving its cybersecurity posture. With today’s large remote workforce, explosion of connected devices, and the proliferation of cloud computing—including complex multi- and hybrid cloud environments—conventional perimeter-based defenses are no longer adequate to protect critical systems and data. As noted in the Executive Order, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
This Zero Trust strategy organizes its objectives and agency requirements by using the Zero Trust Maturity Model released by the Cybersecurity and Infrastructure Security Agency (CISA) in June 2021. This maturity model focuses on Zero Trust security implementation across five key pillars: Identity, Device, Network, Application Workload and Data.
In this blog series, we’ll dive into each of these pillars, exploring how organizations can advance along the maturity curve in their Zero Trust security journeys. While the CISA Maturity Model was developed for government agencies, the guidance certainly applies to organizations in any industry.
It all starts with identity
The traditional security perimeter has dissolved, and people are the new perimeter. As users access applications and resources from multiple locations and devices, identity access management has become increasingly important. Through the lens of Zero Trust, this means enforcing the principle of least privilege—or reducing the attack surface by making all network resources and applications invisible unless a user is authorized and authenticated.
In CISA’s Zero Trust Maturity Model, each pillar has three stages—traditional, advanced and optimal—with increasing levels of protection, detail and complexity in each stage. At a high level, agencies will have achieved the following in each stage of the Identity pillar:
- Traditional: password or multi-factor authentication (MFA); limited risk assessment
- Advanced: MFA; some identity federation with cloud and on-premises systems
- Continuous validation; real-time machine learning analysis
The Zero Trust Maturity Model moves away from simply using passwords to validate identity and instead uses a combination of factors to validate and continuously verify identity throughout the duration of a user’s interaction with services or data. At the same time, as agencies continue to migrate services to the cloud, they must integrate their on-premises identities with those in cloud environments.
The important role of Zero Trust access
Zero Trust Network Access (ZTNA) has become the standard for identity-centric secure enterprise access control. With Zero Trust access, a user is denied access to networks and digital assets by default. Then, they are only permitted access after their identity (user + device + context) is extensively authenticated. Dynamic policies and entitlements are then granted to the identity, provisioning limited access to authorized resources.
These dynamic, meta-driven surgical entitlements are conditional and based on context and risk tolerance defined by the enterprise. This is infinitely more secure than using an IP address and username/password combo because the theft of basic credentials, IP spoofing and brute force attacks have made these traditional authentication methods vulnerable. Zero Trust access is a more dynamic solution that takes contextual factors into account.
After the user has been given access, the solution continues to monitor to determine if access privileges should be adjusted or entirely revoked. It continuously evaluates the user and device in context, including the user’s role, device security posture, location, time and date and a range of other conditional requirements. This makes it possible to immediately interrupt suspicious behavior before it causes harm.
Appgate SDP: identity-centric secure access
Appgate SDP, an industry-leading Zero Trust Network Access solution, provisions conditional trusted access by verifying identity using three key evaluation criteria:
- Role variables: Most organizations have multiple and disparate—and sometimes incompatible—directories. By integrating with all Identity Management Systems (IdP, IAM, IGA) and methods (i.e., SAML, AD, LDAP, Radius), Appgate SDP seamlessly aligns with your corporate identity management strategy, regardless of the number of identity solutions you are using. It also integrates with solutions that offer passwordless protection.
- Environmental variables: Things like date, time and geo-location are used as additional attributes and real-time contextual data in the evaluation to grant access entitlements—for both users and non-human service accounts. These additional attributes can be used to prompt for additional authentication such as MFA and/or restrict access based on contextual risk.
- Device variables: Appgate SDP evaluates device risk by conducting an extensive 25+ variable out-of-the-box posture check. It works even stronger when integrated with enterprise endpoint protection tools. Access is now conditional based on whether the device is deemed trusted or not.
All these attributes are compiled into a multi-dimensional identity profile. This 360-degree identity profile is used to evaluate and grant conditional entitlements not just at the time of initial access request but throughout the interaction.
Appgate SDP can help organizations align their identity governance with Zero Trust security policies, as well as easily meet MFA and encryption requirements. It enables a simple user experience and does not require application or server modification.
The easiest way for a cyberattacker to gain access to an organization’s resources and data is by compromising a user’s identity, so it is clear why it’s critical to start with identity when embarking on a Zero Trust security journey. In today’s complex environment, password protection is dead. Organizations need a Zero Trust access solution that uses dynamic policies and takes user context into account before granting access.
For more on how our Appgate Federal Division assists agencies on their Zero Trust security journey, visit www.appgate.com/federal-division.
Blog: Federal march to Zero Trust security
Blog: Control access with identity-centric micro-perimeters
Ebook: Zero Trust Network Access: Everything you need to know
Webinar: Zero Trust for critical infrastructure