What is a Zero Trust Maturity Model?

Abstract

Recently we’ve been seeing a buzz about the “Zero Trust Framework” and governance model, specially when defining a security model which adapts to the complexity of modern hybrid environments. In this article, we’ll review the recent materials, standards, and guidance principles related to this new model of architecture security, with the hope to help you in your journey to a better security governance.

What is Zero Trust Architecture and Governance?

As defined by the National Institute of Standards and Technology (NIST) SP 800-207 publication:

Zero Trust is the term for an evolving set of network security paradigms that move network defenses from wide network perimeters to narrowly focusing on individual or small groups of resources.

A Zero Trust Architecture (ZTA) strategy is one where there is no implicit trust granted to systems based on their physical or network location (i.e., local area networks vs. the Internet). Access to data resources is granted when the resource is required, and authentication (both user and device) is performed before the connection is established.

Draft NIST Special Publication 800-207 Scott Rose/STu Mitchell/Sean Connelly September 2019

For federal frameworks, additional governance and controls apply such as the Trusted Internet Connections (TIC) and Continuous Diagnostics and Mitigation (CDM). Both may not apply to commercial entities, but are excellent references to information and best practices:

• The Trusted Internet Connections (TIC) is a federal cybersecurity initiative to enhance network and perimeter security across the United States federal government. The TIC initiative is a collaborative effort between the Office of Management and Budget (OMB), the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), and the General Services Administration (GSA). The above linked Handbook provides various controls and best practices helpful for managing risk in Federal systems.
• The Continuous Diagnostics and Mitigation (CDM) program is led by the Cybersecurity and Infrastructure Security Agency (CISA). The CDM program delivers cybersecurity capabilities across the federal government including providing cybersecurity tools, services, reporting and best practices. The Continuous Diagnostics and Mitigation Program Fact Sheet outlines five key program areas including dashboarding, asset management, identity and access management, network security management and data protection management.

Zero Trust Frameworks align to key security protection principles for ease of reference.

How to evaluate and implement

Implementation of a Zero Trust Framework and Governance process is highly dependent on your organization’s maturity and evolutionary steps taken so far in your enterprise. This is where VVL Systems can provide guidance with tangible plans and outcomes which align to your objectives.

Different organizational requirements and existing technology implementations affect how this model is planned and implemented. This maturity model diagram is a great reference (credit: Microsoft) on a typical journey.

Meanwhile, below are some guiding principles and tangible building blocks we typically recommend, together with recommendations from Microsoft and Industry partners.

Guiding Principles

• Verify explicitly – Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.

• Use least privileged access – Limit user access with Just In Time and Just Enough Access (JIT/JEA), risk based adaptive polices, and data protection to protect both data and productivity.

• Assume breach – Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices, and application awareness. Verify all sessions are encrypted end to end. Use analytics to get visibility, drive threat detection, and improve defenses.

The below diagram is a great reference for Zero Trust across a digital estate (Credit: Microsoft Zero Trust Maturity Model):

Implementation Methods

In summary, the following actions are found to be key enablers to achieving a Zero Trust Framework:

1. Enable a Cloud Construct security capability which automates the detection and remediation of security vulnerabilities, access rules and application control errors, restrict malicious activity, and detect threats using analytics and intelligence. Furthermore, integration with your Security Operations Center (SOC/vSOC) for predictive incident detection and handling.
   
2. Implement a continuous monitoring and configuration control for your compute, networking, storage, data, and applications. The Center for Internet Security (CIS) outlines a guide for security controls in the Top 20 Critical Security Controls (CSC). The CSC highlight the importance of configuration management in CSC1: Inventory of Authorized and Unauthorized Devices and CSC 2: Inventory of Authorized and Unauthorized software.
   
   Each resource requires individual controls and domain expertise to properly identify true issues from false-positives, therefore generic on-premises solutions may not adapt easily without significant time invested. Take a look at our discussion on Portfolio Discovery.
   
3. Enable and Enforce Multi-Factor Authentication to secure the control plane for your enterprise identity management. Leveraging built-in (Azure Active Directory or AWS IAM) or 3rd party products (Okta, etc) which allow Single Sign-On (SSO) capability.
   
   Furthermore, enabling identity monitoring enables you to take proactive actions before an incident takes place or reactive actions to stop an attack attempt. 
   
4. Monitor your Access Requests as it is critical in detecting unauthorized access to cloud resources. The below is an example from Microsoft who categorizes alerts with intents of an attacker.

5. Implementing encryption is one of the most overlooked aspects for those seeking a Zero Trust framework. Most clients we encounter default to the Cloud Service Provider to handle encryption, when in fact this is part of the client’s shared responsibility model.
   
   Implementation of encryption should apply to In Transit as well as At Rest. This includes EBS volumes, Virtual Machine Disks, Storage accounts, Snapshots, to name a few.
   
   This is often overlooked due to the lack of policy direction handling a Key Management System (KMS), specially when deciding to use CSP or Customer-provided KMS solutions. Furthermore, who will be providing the Keys? The following questions plague decision making:

Who holds the key? The tenant? or the Provider? Operations or Information Security? Cloud Service Provider? What if I loose it?

6. Be prophetic about data protection. Encourage a culture towards achieving the highest baseline posture possible within your organization. We’ve seen clients take the approach of “Security Shame” (not usually what we recommend) or performance-oriented goals tied to year end bonuses and compensation.
7. Implement network segmentation, which makes more difficult for an attacker to move laterally within a target environment and minimizes the “blast zone” of your architecture. Segmentation with Virtual Firewalls, Security Groups, and Network Security Groups are a fantastic way to enable this, together with micro-services. Micro-services minimizes the changes the whole of your application and data to be compromised.
8. Remediate Vulnerabilities proactively. We find this to be a significant challenge for large organizations. We tend to break it down to three functional challenge areas:
   1. Lack of automation between detection (Information Security), prioritization (business and operational impact), and remediation (applying vendor or regulatory fixes).
      
      This is where a solution such as BMC Software’s TrueSight Automation for Servers and Networks facilitates a faster “shift left” vulnerability management approach, as well as BMC Helix Remediate for a SaaS based solution.
   2. Incoherent understanding of assets, product owners, and dependencies. Take a look at our article around Portfolio Discovery.
9. Don’t forget about IoT & Hybrid Workloads. As billions of new devices are connected to the internet, and integrated into our daily lives and our businesses, your security operations teams must ensure their security strategies evolve quickly enough to cover each new attack surface. Like any other system, to comprehensively secure your IoT solution, it requires protection at every stage of implementation.

Tools for consideration for your Zero Trust Implementation

As you begin to assess your Zero Trust readiness and begin to plan on the changes to improve protection
across identities, devices, applications, data, infrastructure, and networks, consider these key
investments as recommended by industry to help drive your Zero Trust implementation more effectively:

• Strong authentication – Ensure strong multi factor authentication and session risk detection as the backbone of your access strategy to minimize the risk of identity compromise.
• Policy-based adaptive access – Define acceptable access policies for your resources and enforce them with a consistent security policy engine that provides both governance and insight into variances.
• Micro-segmentation – Move beyond simple centralized network based perimeter to comprehensive and distributed segmentation using software defined micro perimeters.
• Automation – Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks. Solutions such as BMC Helix Cloud Security and BMC Helix Remediate are great examples of lowering your MTTR.
• Intelligence and AI – Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
• Data classification and protection – Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental ex-filtration. Knowing your Unknowns is extremely important to being this type of protection.

In Conclusion

Industry (including VVL) is currently in a continuous journey to envision, define, and implement Zero Trust. We all realize that this security model is promising and substantially effective in enriching your security posture, but it must be integrated across your entire digital estate (weakest link phenomenon) and this does not occur over night.

It is important to consider each investment and align with your business needs, and realize that your first step does not have to be a large “lift and shift” to cloud-based security tools; one must review existing investments and identify opportunities to evolve. This is, after all, an evolution not a revolution.

Many thanks to Microsoft for aiding in the vision and many of the points highlighted in this blog, together with many of the references identified throughout the article.

This article contains our opinion on the state of the industry, and includes various curated topics and materials from vendors, industry leaders, and regulatory bodies, with the purpose to simplify the information for those seeking knowledge. Rights and credits shall apply to those who are referenced and the materials utilized for this article.