Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Moving to zero trust architecture (ZTA) and secure access service edge (SASE) is more of a journey than a project. This piece provides a roadmap for moving to ZTA and SASE that goes from choosing use cases and defining scope to establishing a policy model
and identifying gaps—all with an eye toward maturing the environment over time.
When getting started in ZTA and SASE it is key to address the common use cases for zero trust based on identity type: people, applications and equipment.
This is a crucial first step, because it narrows down the options for the policy decision and enforcement points (PEP/PDPs). Arguably, the policy engine between every session and every connection is the defining element of a ZTA. In fact, ZTA extends
the dynamic trust boundary, so it is short-lived, tightly scoped, enforced by policy, and informed by trust signals and telemetry. But how ZTA accomplishes this varies by type of identity:
A good plan of attack is to:
ZTA is defined in the NIST SP 800-207 document. Security architects can implement the tenets of ZTA using existing control frameworks, aligning with the
NIST CyberSecurity Framework (CSF) and following the NIST Risk Management Framework (RMF) [external link to: https://csrc.nist.gov/Projects/risk-management/about-rmf].
The CSF provides the controls objectives and the RMF provides a high-level process for planning and implementation.
For organizations using the CIS Critical Security Controls (CSC), these prescriptive controls are mapped to the CSF functions: identify, protect, detect, respond and recover. The ZTA tenets can be supported by specific CSC control activities (see Figure
Figure 1: Mapping ZTA Tenets to CSC Controls
All data sources and computing services are considered resources.
All communication is secured, regardless of network location.
Access to individual enterprise resources is granted on a per-session basis.
Access to resources is determined by dynamic policy—including the observable state of client identity, application/ service and the requesting asset—and may include other behavioral and environmental attributes.
The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
All resource authentication and authorization is dynamic and strictly enforced before access is allowed.
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture.
Source: IANS, 2022
Within the given use case, the first objective is to increase coverage of these ZTA tenets on the people, devices and resources within scope. From there, ZTA maturity can be improved on by following maturity models such as the CISA Zero Trust Maturity Model. Similarly, the first objective with CIS CSCs is to increase control coverage aligned with the ZTA tenets within scope.
The next step is to ensure the controls are not only in place, but are also documented in policy, codified into processes and routinely audited. An organization can gauge the maturity here using the CIS Cybersecurity Maturity Model (CMMC). Make this process manageable by working only on the CIS sub-controls enabled to realize the ZTA tenets and only the controls applied within scope.
CIS CMM mapping to Cybersecurity Maturity Model Certification (CMMC) provides specific
NIST practice identifications. These practices correlate to 14 domains that align with the NIST SP 800-171 families (see Figure 2).
Figure 2: Example From the CIS CMMC
NIST Practice ID Number
Establish and Maintain Detailed Enterprise Asset Inventory
Address Unauthorized Assets
Security organizations can improve NIST maturity by increasing the ZTA maturity (at the architectural level) and the corresponding CSC maturity (at the control level). The trick is to maintain the mappings between these three frameworks.
For workforce use cases one implementation of ZTA is ZTNA. ZTNA can be accomplished by proxy, standalone VPN or as a feature of a SASE product. In addition to ZTNA, SASE products often include:
One potential benefit of using SASE to deliver ZTNA is that it extends the trust signals and enforcement options. For example, downloading specific data to the device (monitored by DLP) or clicking on links and opening malicious websites (monitored by
CASB) may change the risk posture. The enforcement options may increase to controlling interactions on web apps (through CASB), preventing specific data (via DLP) or limiting the trust boundary at a lower layer (via FWaaS, SD-WAN or SWG).
The SASE market is in the early stages and is continuing to evolve. Compared to other approaches for ZTA, SASE should be evaluated more thoroughly to ensure the feature set performs as desired.
Advanced-state architecture for ZTA use cases will have the identity on their device accessing applications through a PEP/PDP, with additional security products providing input into the policy engine. This differs from the reality for many organizations
on the journey to zero trust in two aspects:
It’s important to plan ZTA with as few policy engines as possible. In addition, evaluate the possibility for the policy engines to integrate on the control plane, and make sure to avoid policy sprawl.
The transitional and hybrid architecture must be carefully considered to ensure it does not provide adversaries ways to bypass or circumvent the ZTA controls. Some general rule of thumb tips include:
Successful moves to zero trust will take time and be characterized by incremental wins. To ensure you start your journey efficiently:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.