Prioritizing a Zero Trust Journey Using CIS Controls v8
By: Kathleen M. Moriarty, CIS Chief Technology Officer
Zero trust improves the security of IT environments as demonstrated over time by reduced attacker dwell time. The challenge many people face is understanding where to begin.
If you look at a particular vendor’s zero trust-aligned products, you may think of zero trust as being specific to their product set, whether it be identity and access management, microservices, or some other technology-specific solution. Zero trust has evolved, however, and the best description of it today, in my opinion, is the NIST Special Publication 800-207 on Zero Trust Architecture:
An operative definition of zero trust and zero trust architecture is as follows:
Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.
Zero trust architectures are not only comprehensive, but also granular. We’ve moved from the zero trust definitions of a decade ago that provide isolation between applications with networking controls, to a model where isolation is at a component level within an application. Additionally, all of the tenets of zero trust apply at that granular level.
Zero Trust: Moving Security in the Right Direction
The pervasiveness of zero trust may seem overwhelming, on two points. First, if I can’t manage what I have today, how do I support zero trust? And second, how do I begin a zero trust journey?
The good news is that zero trust gives us a pivot point. We are transitioning to a new architectural model that positions security controls and management at the endpoint. Due to the use of pervasive encryption, we have an opportunity to build in security with management patterns that scale. Vendors following zero trust will provide an assurance that their products and the modules in their products meet expectations and are automatically verifiable. While this is not available today, zero trust is moving security in this direction.
Easier Detection of Unexpected Behaviors
This type of transformation builds in security and provides an opportunity for organizations to select a scalable model that reduces resource needs. If security is built in by the vendor and verified automatically, we can also begin to shift to allow list approaches that enable easier detection of unexpected behaviors. In other words, you can prevent and detect attacks from allow list approaches. This is instead of relying on products that compare artifacts and behaviors to known bad lists or deny lists after the fact.
This transition is supported by the recent Cybersecurity Executive Order published in May 2021. It will take time, but it can happen. A focus on how to scale management should be a consideration for vendors and consumers in their product selection as we make this transition. While that’s great, it sounds far off. What can organizations do today?
Prioritize Initiatives with CIS Controls v8 on your Zero Trust Journey
The Center for Internet Security (CIS) recently published an updated version of the CIS Controls (version 8). This new version refined previous recommendations. It adjusted prioritizations of some Controls and Safeguards based on expert consensus and validated by current threats to have the most impact in reducing risk.
Here’s a brief overview of what’s new in CIS Controls v8.
Within each of the 18 Controls, there is a set of Safeguards. The Safeguards comprise the more fine-grained recommendations to address the associated threats for that Control. Each Safeguard is categorized into one of three Implementation Groups (IGs), providing the prioritized recommendations that span the 18 CIS Controls. Controls v8 supports a zero trust architecture, while also aligning to the recommendations for built-in security, pervasive encryption, allow-list functionality, and supply chain security risk reduction called out specifically in the Cybersecurity Executive Order published in May 2021.
A Great Starting Point for Your Zero Trust Journey
If you are looking for a starting point on your zero trust journey, consider using the CIS Controls v8 to prioritize your journey and have the greatest impact on risk reduction based on current threats. By breaking the journey down into achievable steps, an organization can make progress in the journey while being assured that the steps taken are prioritized in a meaningful way.
The CIS Community Defense Model process to validate the Controls and Safeguards prioritization found that IG1 addresses the top five attacks from the Verizon Data Breach Report. The prioritization is based on a complex assessment of threats from numerous breach reports. This includes Multi-State Information Sharing and Analysis Center (MS-ISAC) data.
CIS Controls v8 Mapping to NIST SP 800-207 Zero Trust Tenets
The chart included below describes the mapping of CIS Controls v8 as they align to the NIST SP 800-207 Zero Trust Tenets.
About the Author
Chief Technology Officer
Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.
Kathleen achieved over twenty years of experience driving positive outcomes across Information Technology Leadership, IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College.