Zero-trust security has passed the tipping point from awareness to implementation. A public mandate will drive a private imperative. Emerging standards offer a framework for organizations, regardless of their maturity level. Whether an organization takes its first steps toward zero-trust or has planned ahead for the future, visibility has become the foundation for the pillars of zero-trust.
According to Microsoft, 90% of security decision-makers who work at enterprise-sized companies are familiar with zero-trust and 76% are in implementation. Zero- trust became a matter of national discourse when the Biden administration signed Executive Order 14028, “Improving the Nation’s Cybersecurity.” The Cybersecurity and Infrastructure Security Agency (CISA) has taken up the mantle to develop a zero-trust maturity model. The CISA model has been heavily influenced by the National Institute of Standards and Technology (NIST) SP 800-207, “Zero Trust Architecture.”
These federal mandates and standards have made an immediate impact on the public sector, but the private sector should take note. Compliance regulations already affect many private enterprises. Likewise, many private enterprises implement common security frameworks (CSFs) to demonstrate their cybersecurity maturity to their partners. One such framework is NIST SP 800-53, which catalogs the cybersecurity controls for federal IT systems; however, many private companies voluntarily implement this standard.
It stands to reason that many private organizations will also choose to voluntarily implement NIST SP 800-207 as a zero-trust framework. It’s important to realize that no single path to implement zero-trust exists because all organizations are unique. NIST SP 800-207 accounts for this flexibility.
Ultimately, zero-trust aims to enforce the principle of least privilege (authentication, authorization and access control) across all information technology systems. NIST SP 800-207 delineates that identity governance, micro-segmentation and software defined perimeters are three variations on the approach to zero-trust architecture. Most organizations are still working toward these ideals.
Visibility: the foundation for the pillars of zero-trust
Regardless of whether an organization has just gotten started with zero-trust, has a full implementation, or looks toward the future with an eye on improvement, visibility has become the foundation for the pillars of zero-trust.
Here’s how NIST SP 800-207 defines the tenets of zero-trust:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources gets granted on a per-session basis.
- Resource access gets determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.
For organizations just getting started with zero-trust, they’ll need visibility to inventory all of the devices, data sources and computing services that are considered resources. For organizations enforcing zero-trust policies, it’s also critical to have visibility to monitor the security of these resources. From network mapping to behavioral analysis, network monitoring solutions are the key to unlocking this visibility.
Furthermore, the CISA Zero-Trust Maturity Model illustrates five pillars of zero- trust: identity, devices, network, applications, and data. Visibility underscores them all. As organizations seek to mature from a traditional approach to a more advanced approach on their way toward optimization, CISA offers guidance for how to improve visibility across each pillar.
For example, the traditional approach to gain visibility into a device may rely on manual audits and reviews. A more advanced approach to gain visibility into devices automates the discovery of devices, identifies vulnerabilities, and isolates un-approved devices. The most optimal approach to visibility integrates this approach across cloud and remote environments, continuously assessing for risks. However, not all devices support software agents, so as an organization embraces a more mature approach, they may need to seek more sophisticated solutions.
Although there’s a plethora of information available about implementing zero-trust, there’s also a paucity of codified standards. That’s why NIST SP 800-207 represents such a milestone. Even though it’s a federal standard, many private companies will choose to voluntarily implement it as a competitive differentiator. With an initiative of this magnitude, look beyond the technology: bring teams together, work toward a common goal, and understand the systems in the model. It’s all about consistency and developing that visibility so the team can understand the impact of changes.
Tim Jones, regional vice president of systems engineering, Forescout