New CISA Zero Trust Updates Confirm Identity’s Central Role

Experts agree that using Zero Trust as a guidepost for least privilege management and benchmarking program maturity makes it practical and more a journey than a destination. A zero trust architecture (ZTA) is a set of policies, controls, and principles made possible by multiple security solutions working in concert with one another. ZTA is not a single solution that organizations can purchase and install. Organizations looking to transition to ZTA should follow the recently updated Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model for guidance. Moving toward ZTA requires changing policies within their networks, deploying controls to enforce zero trust principles, and carrying over or replacing legacy systems—without disrupting operations.

These are also multi-faceted identity management challenges – and recent changes to the CISA Zero Trust model reflect the industry’s evolving identity management needs. Notably, CISA now presents Identity as the first pillar in its Zero Trust Maturity Model, encouraging enterprises to take meaningful preventative and continuous monitoring measures to keep their identities secure.

CISA’s Zero Trust Updates and Their Impact

The updated CISA Zero Trust Maturity Model defines the five pillars of Zero Trust as Identity, Device, Network Environment, Application/Workload, and Data. This model creates clear “swim lanes” for security controls, which can help organizations better understand where their needs may lie. Within each pillar, the model also breaks maturity down into the stages of ‘Traditional,’ ‘Advanced,’ and ‘Optimal.’

Traditional (the lowest maturity level) defines items like static security policies, manual configurations, assignment of attributes, and other base-level capabilities. The other end of the spectrum is optimal, including entirely automated attribute assignment to assets and resources, dynamic policies based on observed triggers, and other more advanced capabilities. Advanced sits somewhere in between.

The new guidelines also note the need for visibility and analytics, automation and orchestration, and governance across environments, highlighting the need for automated data collection, correlation, and threat intelligence sharing. Gathering adversary intelligence is critical in today’s threat environment, and the more information organizations can arm themselves with, the better their chances of recognizing—and repelling—an attack.

The Five Pillars of Zero Trust

Zero trust architecture leans heavily on multiple components and capabilities of identity management, asset management, application authentication, network segmentation, and threat intelligence. As the CISA Zero Trust Maturity Model notes, a practical and effective ZTA implementation needs to look across all five elements that seek to limit—but not eliminate—implicit trust. It is essential to understand what each of those elements means:

1. Identity. An “identity” refers to an attribute or set of attributes for any entity – human and machine – on the network. Focusing on identity ensures that the right users and other entities have the right access to the right resources at the right time. It also provides continuous and automated visibility to exposures and can aid organizations in establishing a least-privilege principle for access. It also provides the security controls for identity threat detection and response (ITDR) and to identify a lack of compliance or policy drift.
2. Device. Organizations must identify and inventory each company-controlled device and have a solution that monitors, manages, and controls them.
3. Network Environment. This pillar refers to an open communications medium (including an organization’s internal networks, wireless networks, and the internet) used for transporting messages. Organizations need to align their network segmentation and protections according to the needs of their application workflows instead of the implicit trust inherent in traditional network segmentation.
4. Application/Workload. Applications and workloads include systems, computer programs, and services that execute on-premises or cloud environments. Organizations must secure and manage the application layer and containers while providing secure application delivery.
5. Data. Organizations must protect data on all devices, in all applications, and across networks. Organizations should inventory, categorize, and label data while protecting data at rest and in transit. Controls must also be in place for detecting data and unauthorized data modification. This level of trust should include conditional access based on authorized, authenticated, and entitled access.

Putting Identity First

Establishing a zero-trust environment requires a combination of policies and solutions, but it is encouraging to see CISA acknowledge identity’s essential role in the process. Identity-based attacks are on the rise as adversaries continue to leverage compromised identities as an easy way to infiltrate corporate networks. Zero trust architecture can help, but building it requires continuous visibility into all identities, permissions, and potential exposures across endpoints, directory services, and cloud environments. SentinelOne solutions treat identity security as the foundation of ZTA, providing visibility to entitlements across the entire organization, identity-based threat detection, and identity protection based on cloaking technology that hides and denies access to sensitive or privileged identities.

SentinelOne identity solutions identify identity exposures on endpoints, Active Directory, and the cloud to reduce the identity attack surface.

• The Ranger® Identity Assessor for AD solution assesses Active Directory (AD) and Azure AD for vulnerabilities within the database that attackers can exploit so organizations can remediate them before attackers can use them.
• Attack path visualization tools look for and remediate identity exposures at the endpoints, including stored or orphaned credentials and misconfigurations.
• The cloud environment for entitlement management (CIEM) solution checks for exposures related to identities, entitlements, and resources so that the organization can reduce overprovisioned entitlements.

The SentinelOne Identity Threat Detection and Response (ITDR) solutions provide additional layers of defense by efficiently detecting and responding to identity-based attacks.

• The SingularityTM Identity solution detects identity attacks from either endpoints or domain controllers to alert on unauthorized queries and violations of identity trust.
• The Hologram solution complements EDR solutions and detects identity-based attacks targeting credentials at the endpoints. It protects against credential theft or privilege escalation on the endpoints and binds credential stores to their applications to derail credential theft.

These capabilities throw attackers off their game by adding layers of defense to what has historically been an easier attack vector. All while putting organizations in the best possible position to take the next step in their zero trust journey.

Conclusion

A zero trust architecture must validate and revalidate every system, device, and user accessing the network – each with its own set of policies – to be effective, which can cause user and device management overhead to increase significantly. The recently updated CISA Zero Trust Maturity Model provides the guidance organizations need to transition to ZTA and achieve their security goals.