The Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) recently released a maturity model that defines distinct pillars and capabilities that agencies should look to invest in with tools and processes to meet the requirements for zero trust set out in Executive Order 14028, “Improving the Nation’s Cybersecurity.” In January 2022, the United States Office of Management and Budget (OMB) released the Federal Zero Trust Strategy to further guide government agencies in developing a zero trust strategy. This strategy can be accomplished through evolution of existing cybersecurity systems and further breaks out steps that government agencies can take to build confidence in a zero trust security model.
This guidance and model underlines the fact that zero trust is not a single product, but rather a collection of concepts and ideas with a goal of preventing unauthorized access to data and services coupled with making the access control enforcement as granular as possible. This is a huge shift from traditional perimeter-based defenses employed across government networks. Moving to zero trust is an incredible effort but one that must be accomplished to secure the data and systems needed to protect and serve U.S. citizens and interests.
Understanding the challenge
Zero trust is a shift from a location-centric model to a more data-centric approach that aligns with the new reality of a widely distributed, hybrid workforce. Moving to a zero trust architecture (ZTA) is more than a technical challenge, it also is a cultural shift in cybersecurity policy.
Legacy systems rely on “implicit trust,” a concept that conflicts with the core principle of adaptive evaluation of trust within a ZTA. This means that existing infrastructures that are built on implicit trust must either be rebuilt or replaced.
Meeting the challenge
The move to zero trust will take time, but efforts can be accelerated with the right tools. At Zscaler, we’re proud to offer a range of products that were designed with zero trust as the prevailing security architecture. In this blog series we will look at each capability defined by CISA and detail how Zscaler can help agencies migrate their architectures to a zero trust approach.
As CISA points out in their model, each capability can progress at its own pace and may be further along than others. At some point, cross-pillar coordination will be required with a focus on interoperability and dependencies to ensure compatibility. This allows for a gradual evolution to zero trust, distributing costs and effort over time.
We’ll take a step-by-step approach with a post on each capability, examining how to mature the following through the model:
- Identity – move least-privileged access approach to identity management.
- Data -- shifting to a “data-centric” approach to cybersecurity starting with identifying, categorizing, and inventorying data assets.
- Device & endpoint -- ensuring the integrity of the devices used access services and data.
- Network & environment – aligning network segmentation and protections according to the needs of their application workflows instead of the implicit trust inherent in traditional network segmentation.
- Application & workload -- integrating protections more closely with application workflows, giving access to applications based on identity, device compliance, and other attributes.
- Visibility & analytics – ability to collect data on transactions and report out in easy to follow dashboards and reports.
- Automation & orchestration – implementing API-based solutions that to allow for dynamic policy changes and enforcement.
Stay tuned as we do a deep dive on each of these areas, highlighting the current state, desired ZTA state, and how to make the transition with the help of Zscaler.