Hello all – Thanks for joining the most recent Zero Trust Maturity Model working session, on April 21.
We continued our discussion about the CISA Zero Trust Maturity Model, with part 3 of the discussion queued up for next time.
Meeting recording (mp4): https://drive.google.com/file/d/1hxIspG3tBOzQcNiNBfx6c96ZM8zfw1J5/view?usp=sharing
Meeting notes:
Topic: Walkthrough of CISA Zero Trust Maturity Model:
https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf
CISA Model - Continued Discussion
- Devices
- Identity
- We critiqued the CISA note on page 7: "As agencies migrate services to the cloud, their users will have identities among a variety of providers. To effectively manage these identities and align security protections holistically, agencies will need to integrate their on-premises identities with those in the cloud environments. These integrated identities, however, can increase the attack surface of the agency because a compromised identity or identity provider may permit access across the broader agency environment."
- we felt like it's not obvious or automatic that centralizing into an integrated identity provider will increase the attack surface or risk - in fact, in many cases, because a single centralized IDP is typically better operated, such a setup can in fact improve security.
- Compliance monitoring
- better to have percentages vs "limited" and "most"
- different types of devices - user devices, servers, IOT
- Visibility / Asset Management
- Very often a issue - most orgs don't do a great job with this
- This lack of visibility represents a shortcoming
- in the CISA doc, it shows the "how", not the "what"
- This should be broader than just hardware & devices
- Networks, data, cloud accounts, topologies, etc - all these are "assets" that are important from a ZT perspective
- Asset status & attributes are important input into ZT access - the device posture
- This device posture information could come from a ZT client running on the device itself, or from a separate system (e.g. EDR) as input into the PDP for deciding about access
- ZTMMs can't be overly prescriptive because there are many ways to solve each problem, and diff orgs will already have elements in place
- idea; ZTMM to include examples of these considerations and diff approaches, to analyze pros and cons
- Likely we'd want to treat diff devices separately (e.g not lump together user devices, servers, IoT)
- How much of the "how" should we include?
- add "example technologies" for the rows (or even the levels)
- How can we do this without making the document too detailed?
- e.g. Visibility and Analytics mentioned "use an EDR tool"
- CISA verbiage "make services and data available directly to users without routing through traditional access points. " is confusing and incorrect/misleading
- Network/Environment
- network segmentation
- threat protection
- Encryption
- Optimal should require encryption everywhere - not "where possible"
- If you aren't encrypting traffic, you aren't at "optimal"
- Automation & Orch
- progression is reasonable
- change management - reflected in this progression. Processes around this, need to be tied into asset & device inventory
- Automation key to ensuring integrity of all these systems and processes
- CISA needs to better define what they mean by "enabling agencies to make applications and services available directly to remote users and branch offices."
Next meeting - Thursday, May 5 at 8pm ET - which is Friday May 6 at 00:00 UTC / 8am China Standard Time
Note that we're switching back to the 8pm ET meeting time for our next meeting.
Topic: Continued walkthrough of CISA Zero Trust Maturity Model:
We will post the meeting Zoom link within 36 hours of the next meeting