How various zero trust controls, frameworks and guidance align, and how to move forward with them
July 5, 20223:15 pm
4 min read
If nothing else, the recent escalation of cyberattacks over the past couple of years has driven home the importance and the value of zero trust to any federal agencies that might have been on the fence. But there is an abundance of information and documentation that they need to understand and conform to. From the National Institute of Standards and Technology’s 800-207 to Trusted Internet Connection 3.0, not to mention the recent executive orders and...
If nothing else, the recent escalation of cyberattacks over the past couple of years has driven home the importance and the value of zero trust to any federal agencies that might have been on the fence. But there is an abundance of information and documentation that they need to understand and conform to. From the National Institute of Standards and Technology’s 800-207 to Trusted Internet Connection 3.0, not to mention the recent executive orders and memo, it can be difficult to reconcile all that information.
“There’s a lot of documentation out there. And it’s really hard to kind of see the ties between them all. But they are all interrelated,” said Danny Connelly, chief information security officer for the Americas at Zscaler. “The Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget did a great job in aligning the mandates and policies where in the past, it’s all been, in my opinion, siloed. And agencies are left with multiple different mandates and initiatives and drivers that they try to comply with.”
For example, TIC 3.0 allows agencies to move away from the traditional network-centric security approach. Agencies no longer are required to move traffic back through a data center. It was forward thinking because, previously, agencies were trying to implement the same protections that they had on prem to the cloud environments, which doesn’t scale. So when TIC 3.0 came out and gave agencies the flexibility to really leverage modern solutions, its security capabilities aligned to NIST controls.
The problem is, agencies understand the importance of all of these disparate controls and requirements separately, but they struggle with figuring out how to move forward with all of them.
“They’re thinking that there’s some magical CISA Authorizing Official that says ‘you are TIC compliant.’ There’s no EINSTEIN cop out there,” Connelly said. “It’s supposed to be a joint partnership between the agency security teams, and CISA. And really, it’s up to the risk tolerance of the agency CIO and CISO to define what that TIC 3.0 framework looks like for their agency or what those requirements look like.”
The administration is struggling to find a balance here, Connelly said, between being prescriptive enough that agencies are all on the same page with their implementations, but offering enough flexibility to account for difference in requirements and differences in mission. That’s why the cybersecurity memorandum from the White House begins shifting the focus from compliance towards operational security.
One thing Connelly said he’d like to see additional guidance around is decommissioning VPNs. It’s a 20 year old architecture, and it did work for a long time. But a lot of agencies are slow in acknowledging that it’s outdated, that there’s a significant attack surface, and that it’s time to shift the model to connecting users to apps. That said, Connelly also said that runs the risk of being too prescriptive; it’s a double-edged sword that could help some agencies, but deny others the flexibility they need to function well.
Connelly said agencies have working capital funds and other similar mechanisms to get funding for these efforts. The challenge, he said, is where to start, considering all the different controls and frameworks and guidance to take into account.
That’s when it’s time to go back to CISA’s five pillars of zero trust, he said, and focus on your biggest risk. So, for example, agencies should ensure they have a robust identity access management system or endpoint detection and response put into place. And those efforts need accountability at all levels of the organization, Connelly said.
“CISA is there to help, and agencies that need help should engage with them. It’s a partnership,” he said. “When you’ve been operating in silos for 20 years, between network teams, security teams, identity access management, all just focused on their individual mission, it’s not going to work, because the shift to zero trust is such a monumental change that it really needs everybody to be on the same page. That’s the biggest hurdle. This is agencies’ time. It’s an opportunity.”
And it’s an opportunity that needs to be capitalized upon soon. Connelly said he’s seen technology and security initiatives in the past that had momentum behind them early on, but then turned into short term experiments because there wasn’t enough follow up to set the foundation for a long term change in philosophy. Most of those, he noted, were focused on the old way of protecting networks.
But one way zero trust can move forward is through more mature standards and metrics.
“In the past, zero trust used to always be kind of a marketing term. It meant least privileged, default deny, the things that we always knew as security best practices,” Connelly said. “But now that there are things like 800-207 and the CISA maturity model, it’s now defined and more measurable. Are those measurements effective and adequate? I don’t think we’ll know until organizations are using it.”