- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.
What Is the CISA Zero Trust Maturity Model?
The CISA Zero Trust Maturity Model, released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was drafted in June 2021 to help government agencies comply with Executive Order 14028, “Improving the Nation’s Cybersecurity.” EO 14028 specifically recommends Zero Trust Architecture to protect government infrastructure.
Right on the heels of EO 14028, CISA began working on the CISA Zero Trust Maturity Model. It provides a framework as agencies transition to Zero Trust Architecture, strengthening their cybersecurity posture and preventing unauthorized access to infrastructure and resources by requiring constant authentication. The CISA Zero Trust Maturity Model is meant to serve as guidelines but is not meant to be a complete plan.
CISA built the Zero Trust Maturity Model on the seven Zero Trust tenets outlined by the National Institute of Standards and Technology (NIST). They are:
- All data sources and computing services are infrastructure.
- All communication is secured, regardless of location.
- Access to individual enterprise resources is granted per session.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.
Importance of the Zero Trust Maturity Model
The federal government recognizes the importance of Zero Trust in its efforts to secure infrastructure and resources. In addition to the seven tenets outlined by NIST in Special Publication 800-207, which describes Zero Trust for enterprise security architects, federal agencies have released other publications to explain the concept and provide guidance.
The Department of Defense (DoD) released the DoD Zero Trust Reference Architecture specifically for the DoD Information Network, and the National Security Agency has embraced a Zero Trust security model.
But the challenges lie in legacy systems that may conflict with Zero Trust principles and the lack of consensus on what a Zero Trust Maturity Model looks like. The CISA Zero Trust Maturity Model aims to address these challenges and operationalize protections through its programs, including Continuous Diagnostics and Mitigation (CDM) and National Cybersecurity Protection System (NCPS).
Zero Trust Maturity Model Implementation
The Zero Trust Maturity Model relies on the Foundation of Zero Trust. This is represented by five pillars: identity, device, network/environment, application workload, and data. The five pillars sit on top of visibility and analytics, automation and orchestration, and governance.
Zero Trust maturity stages
The Zero Trust maturity stages are used to identify maturity for each zero trust technology pillar and provide consistency across the maturity model. Briefly, the stages are:
- Traditional: Manual configurations are still widely used for attributes, along with static security policies and coarse dependencies on external systems.
- Advanced: Some cross-pillar coordination and centralized visibility and identity control are complete.
- Optimal: Attributes are automatically assigned to assets and resources, and dynamic policies based on automated or observed triggers are in place.
The pillars of Zero Trust are:
Pillar 1: Identity
This refers to a set of attributes or an attribute that describes a user or identity. In an optimal maturity model, the identity is continuously authenticated.
Pillar 2: Device
A device is any hardware asset that can connect to a network. An optimal model includes constant device security monitoring and validation, and data access depends on real-time risk analytics.
Pillar 3: Network/Environment
The CISA Zero Trust Maturity Model defines network/environment as any open communications medium, including agency internal networks, wireless networks, and the Internet. In an optimal model, it uses fully distributed ingress/egress micro-parameters, machine learning-based threat detection, and encryption for all traffic.
Pillar 4: Application Workload
Applications and workloads include agency systems, computer programs, and services that execute on-premise and in the cloud. Optimal models continuously authorize access and are strongly integrated into the application workflow.
Pillar 5: Data
Data needs to be protected on all devices, in applications, and on networks, according to the CISA Zero Trust Maturity Model. An optimal model uses dynamic support and encrypts all data.
How StrongDM Simplifies Zero Trust Implementation
Zero Trust implementation can seem daunting, particularly for organizations that are taking a reactive approach to data loss prevention. StrongDM simplifies Zero Trust at optimal levels for network/environment, application and workload, and data by detecting suspicious behavior in real-time and providing a full audit trail that logs every permission change and employee query.
This checks the boxes for optimal threat protection, visibility and analytics, automation and orchestration, governance, access authorization, and access determination, all key components of Zero Trust.
IT administrators already have enough to do without manually configuring access and implementing Zero Trust from scratch. StrongDM makes it easy with a Dynamic Access Management (DAM) Platform that provides access to resources based on what’s actually needed and enforces a Zero Trust model that keeps infrastructure and resources safe.
Want to see how StrongDM can help your organization move toward Zero Trust? Book a demo today.
About the Author
Schuyler Brown, Co-founder / CCO, began working with startups as one of the first employees at Cross Commerce Media. Since then, he has worked at the venture capital firms DFJ Gotham and High Peaks Venture Partners. He is also the host of Founders@Fail and author of Inc.com's "Failing Forward" column, where he interviews veteran entrepreneurs about the bumps, bruises, and reality of life in the startup trenches. His leadership philosophy: be humble enough to realize you don’t know everything and curious enough to want to learn more. He holds a B.A. and M.B.A. from Columbia University. To contact Schuyler, visit him on LinkedIn.