This is the first in a 4-part series of blogs covering the end-to-end aspects of zero trust.
Adopting a Zero Trust Mindset
It's unlikely to read an article, whitepaper or marketing brief from anyone in the IT cybersecurity arena without seeing a mention of zero trust. In fact, Zero Trust Architectures (ZTA) have become the aspiration and objective of cyber defense operations nationwide. Federal, state and local government agencies alike have embraced a zero trust philosophy to help systematically and strategically mature and harden the cybersecurity posture of government IT systems. The release of Executive Order (EO) 14028, "Improving the Nation's Cybersecurity" in May of 2021 followed by the Office of Management and Budget's (OMB) release of a "Federal Strategy to Move the U.S. Government Towards a Zero Trust Architecture" are two examples of the government's zero trust-centric cyber priorities, with state, local and tribal governments following suit. In addition, government cybersecurity standards and programs such as NIST, FedRAMP and FISMA focus heavily on the concept of system users being granted access to a system and its data in a least privilege manner, a vague directive to limit trust that becomes actionable, specific, and most importantly satisfied (the box gets checked) with the implementation of various zero trust policies.
Embracing Zero Trust Architecture (ZTA)
So what exactly is zero trust anyway, why is it important and where do you begin?
First and foremost, zero trust is not a cybersecurity tool or a configurable setting, rather it is a mindset and an approach to cybersecurity that asks us to think differently about how we protect a network, manage access and secure its high value assets. The term was first introduced in 2010 by Forrester research analyst John Kindervag who described an approach that assumes neither those outside nor inside the organization's network perimeter should be blanketly trusted. Zero trust represents a shift away from traditional location- and perimeter-based security to an identity-, context- and data-centric approach focused on high-value assets and a continuous re-evaluation of trust. Since most organizations don't have the fine-grained security controls required to build and orchestrate the prevention, visibility, detection and reaction capabilities required to implement an adaptive trust model at scale, these efforts are non-trivial. Adopting zero trust requires significant changes in an organization's culture, policies and approach to cybersecurity. True zero trust organizations:
Trust no user or asset implicitly
|Zero trust assumes some degree of compromise has occurred or will occur, and therefore no user or asset is implicitly trusted. While a level of compromise may still occur in a zero trust environment, the architecture ensures damage is limited and the time it takes for defensive systems to detect and initiate appropriate mitigating responses is greatly reduced.|
|Make no distinctions between internal and external networks||Every device, user and network flow must be continually verified whether it is from a corporate office, hotel or airport, home office, or local coffee shop.|
|Require all communications to be secured (authenticated and encrypted)||All communications must be authenticated and encrypted regardless of network location. This includes communication and transactions across and within network systems.|
|Rethink how access is granted||All access to enterprise resources should be granted on a per session basis and determined by a risk-based dynamic policy informed by continuous monitoring of users, devices, applications, network infrastructure and context around data access and communications.|
Finally, achieving a mature zero trust cybersecurity posture will require close collaboration between network and cybersecurity administrators, both of whom have a role to play in the establishment and management of the system. Zero trust environments employ architectural constructs and cybersecurity controls that permeate throughout all components of an IT system to the most granular user, asset and session level, while also assuming all network activity and all users are potentially hostile unless proven otherwise at the point and time of transaction or session. And it's in the repositioning of policy-guided security controls down to "the most granular level" across many facets of an enterprise environment that a ZTA model begins to take shape and mature.
Zero Trust as a Journey | Zero Trust Maturity Model
Optimal Zero trust environments are not achieved overnight nor as a result of a new cybersecurity tool touting itself as delivering zero trust - rather the optimal state is achieved gradually - one improvement at a time across the enterprise-wide system. Each organization must consider their current enterprise cybersecurity posture and technologies, cybersecurity resources, high value IT assets, tolerance for risk, regulatory requirements, as well as organizational mission and objectives to establish a plan that makes improvements toward zero trust in and manner and timeframe that makes the most sense and is achievable for the organization.
Multiple government agencies and regulatory bodies including (but not limited to) the Department of Defense (DoD), General Services Administration (GSA) and The Cybersecurity and Infrastructure Agency (CISA) have published descriptions of zero trust in the context of their organizational objectives. The DoD's Zero Trust Strategy as well as their Zero Trust Reference Architecture includes 7 ZTA pillars, GSA's Zero Trust Architecture Buyer's Guide includes 8 ZTA pillars, and CISA's Zero Trust Maturity Model represents ZTA with 5 pillars and 3 cross-cutting elements. Whether the concepts that constitute zero trust are represented as a "pillar" or a cross-cutting element, most of the government agency zero trust strategies incorporate the same or very similar core components.
Some agencies also provide operational guidance for how organizations can mature over time to achieve an optimal zero trust state - helping break down a monumental undertaking into smaller achievable milestones. The following illustration is a modified version of CISA's ZTA maturity model and 5 pillars, including the 3 cross-cutting areas (considered additional pillars in some models), with minor adjustments to incorporate the most commonly shared ZTA architecture elements across agencies. CISA's core mission is defending the nation's cybersecurity posture and leading efforts to drive and enable effective national cyber defense as a primary mission. Their model reflects that that mission and also incorporates seven tenets of zero trust as outlined in NIST SP 800-207. While CISA is an excellent resource for government cybersecurity guidance, IT delivery organizations should also familiarize themselves with the specific zero trust ideologies of their customer and partner agencies.
Figure 1 - Modified Version of CISA's Zero Trust Pillars and Maturity Model
Implementing a zero trust like architecture involves changes to core system components across five distinct zero trust pillars (identity, devices, networks, application and workloads, and data) - with each pillar leveraging features from three essential cross-cutting capabilities including visibility and analytics, automation and orchestration, and governance and compliance. Organizations will make minor advancements over time that will eventually result in improved zero trust like systems. Each pillar can be addressed and allowed to progress at its own pace while advancing in cross-pillar integration - reflecting an advanced state of zero trust maturity. Teams should consider integration requirements from the onset of the zero trust effort as it can be difficult to achieve.
Graduated Maturity Phases
Each organization will be starting from where they are today with the objective of advancing through the following CISA-defined phases of zero trust maturity with the goal of eventually reaching an optimal state:
- Traditional-Manually configured lifecycles (i.e., from establishment to decommissioning) and assignments of attributes (security and logging); static security policies and solutions that address one pillar at a time with discrete dependencies on external systems; least privilege established only at provisioning; siloed pillars of policy enforcement; manual response and mitigation deployment; and limited correlation of dependencies, logs, and telemetry.
- Initial-Starting automation of attribute assignment and configuration of lifecycles, policy decisions and enforcement, and initial cross-pillar solutions with integration of external systems; some responsive changes to least privilege after provisioning; and aggregated visibility for internal systems.
- Advanced-Wherever applicable, automated controls for lifecycle and assignment of configurations and policies with cross-pillar coordination; centralized visibility and identity control; policy enforcement integrated across pillars; response to pre-defined mitigations; changes to least privilege based on risk and posture assessments; and building toward enterprise-wide awareness (including externally hosted resources).
- Optimal-Fully automated, just-in-time lifecycles and assignments of attributes to assets and resources that self-report with dynamic policies based on automated/observed triggers; dynamic least privilege access (just-enough and within thresholds) for assets and their respective dependencies enterprise-wide; cross-pillar interoperability with continuous monitoring; and centralized visibility with comprehensive situational awareness.
Zero trust is a security architecture that every organization, no matter what the size, complexity or industry, should be moving toward today. That said, each organization has unique challenges as it looks to set off down the zero trust path. Organizations should consider the following:
|All organizations||Adopt zero trust|
|Resource-constrained organizations||Adopt zero trust incrementally|
|Organizations with legacy technologies||Consider reuse versus discard|
|Organizations with no formal IAM program||Get moving|
|Organizations with a large remote/hybrid workforce||Don't wait|
|Cloud-first organizations||Move to zero trust quickly|
Look for the next blog in this SANS 4-part series on zero trust: Architecting for Zero Trust. The blog will take a deeper dive into the fundamental network architectural and policy management elements that organizations will need to implement to provide them the framework on which zero trust systems can be built and operated and cybersecurity postures matured.
Grow Your Zero Trust Competencies with SANS
In addition, SANS has created a 6-day course that will equip participants with skills and knowledge to translate the concept of zero trust into actionable steps. Acquired skills will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.
This course is designed to help students establish and maintain a holistic and layered approach to security, while taking them on a journey towards a realistic 'less trust' implementation, based on Zero Trust principles, pillars and capabilities. Effective security requires a balance between detection, prevention, and response capabilities, but such a balance demands that controls be implemented on the network, directly on endpoints, and within cloud environments. This course will help your organization:
- Identify and comprehend deficiencies in security solutions
- Design and Implement Zero Trust strategies leveraging current technologies and investment
- Maximize existing investment in security architecture by reconfiguring existing technologies
- Layer defenses to increase protection time while increasing the likelihood of detection
- Improved prevention, detection, and response capabilities
- Reduced attack surface
SANS empowers cyber security professionals with the practical skills and knowledge they need to make our world a safer place through high quality training, certifications, scholarship academies, degree programs, cyber ranges, and resources to meet the needs of every cyber professional. Our data, research, and the top minds in cybersecurity collectively ensure that individuals and organizations have the actionable education and support they need.