6 CISO Takeaways from the NSA’s Zero-Trust Guidance
The reality of cybersecurity for companies is that adversaries compromise systems and networks all the time, and even well-managed breach-prevention programs often have to deal with attackers inside their perimeters.
On March 5, the National Security Agency continued its best-practice recommendation to federal agencies, publishing its latest Cybersecurity Information Sheet (CIS) on the Network and Environment pillar of its zero-trust framework. The NSA document recommends that organizations segment their networks to limit unauthorized users from accessing sensitive information though segmentation. That’s because strong cybersecurity measures can stop compromises from turning into full-blown breaches by limiting all users’ access to areas of the network in which they have no legitimate role.
The guidance from the NSA also allows security teams to make a stronger business cases to management for security protections, but CISOs need to set expectations because implementation is a tiered and complex process.
While the document targets defense-related government organizations and industries, the wider business world can benefit from zero-trust guidance, says Steve Winterfeld, advisory CISO at Internet services giant Akamai.
“The reality is not [whether] you have unauthorized access incidents, it’s if you can catch them before they become breaches,” he says. “The key is ‘visibility with context’ that microsegmentation can provide, backed up with the ability to rapidly isolate malicious behavior.”
Companies have embarked on zero-trust initiatives to make their data, systems, and networks harder to compromise and, when they are compromised, to slow attackers down. The framework is a solid set of guidelines for how to proceed, but implementing it is not easy, says Mike Mestrovich, CISO at Rubrik, a data security and zero-trust provider.
“Most networks have evolved over time and it is very difficult to go back and rearchitect them while keeping the business running,” he says. “It is doable, but it can be costly both in terms of time and money.”
Here are six takeaways from the NSA guidance.
1. Learn All Seven Pillars of Zero Trust
The latest document from the National Security Agency dives into the fifth pillar of the seven pillars of zero trust: the network and environment. Yet the other six pillars are equally important and show “how wide-ranging and transformational a zero-trust strategy has to be to be successful,” says Ashley Leonard, CEO at Syxsense, an automated endpoint and vulnerability management firm.
“Network and environment” is the fifth pillar in the National Security Agency’s Seven Pillars of Zero Trust. Source: NSA
“For companies looking to get started with zero trust, I’d highly encourage them to review the NSA information sheets on the user and device pillars — the first and second pillars of zero trust, respectively,” he says. “If a company is just getting started, looking at this networking and environment pillar is a bit like putting the cart before the horse.”
2. Expect Attackers to Breach Your Perimeter
The network and environment pillar of the NSA’s zero-trust plan is all about trying to stop attackers from expanding a breach after they have already compromised a system. The NSA guidelines point to the Target breach of 2013 — without explicitly naming the company — because the attackers entered via a vulnerability in the company’s third-party HVAC system, but then were able to move through the network and infect point-of-sale devices with malware.
Companies should assume they will be compromised and find ways to limit or slow down attackers, NSA Cybersecurity Director Rob Joyce said in a statement announcing the release of the NSA document.
“Organizations need to operate with a mindset that threats exist within the boundaries of their systems,” he said. “This guidance is intended to arm network owners and operators with the processes they need to vigilantly resist, detect, and respond to threats that exploit weaknesses or gaps in their enterprise architecture.”
3. Map Data Flows to Start
The NSA guidance is a tiered model, where companies should start with the basics: mapping data flows in their networks to understand who is accessing what. While other zero-trust approached have been documented, such as NIST’s SP 800-207 Zero Trust Architecture, the NSA’s pillars provide a way for organizations to think about their security controls, Akamai’s Winterfeld says.
“Understanding data flow primarily provides situational awareness of where and what the potential risks are,” he says. “Remember, you can’t protect what you don’t know about.”
4. Move to Macrosegmentation
After tackling any other fundamental pillars, companies should look kick off their foray into the Network and Environment pillar by segmenting their networks — perhaps broadly at first, but with increasing granularity. Major functional areas include business-to-business (B2B) segments, consumer-facing (B2C) segments, operational technology such as IoT, point-of-sale networks, and development networks.
After segmenting the network at a high level, companies should aim to further refine the segments, Rubrik’s Mestrovich says.
“If you can define these functional areas of operation, then you can begin to segment the network so that authenticated entities in any one of these areas don’t have access without going through additional authentication exercises to any other areas,” he says. “In many regards, you will find that it is highly likely that users, devices, and workloads that operate in one area don’t actually need any rights to operate or resources in other areas.”
5. Mature to Software-Defined Networking
Zero-trust networking requires companies to have the ability to quickly react to potential attacks, making software-defined networking (SDN) a key approach to not only pursuing microsegmentation but also to lock down the network during a potential compromise.
However, SDN is not the only approach, Akamai’s Winterfeld says.
“SDN is more around governance of operations but depending on your infrastructure might not be the optimal solution,” he says. “That said, you do need the types of benefits that SDN provides regardless of how you architect your environment.”
6. Realize Progress Will Be Iterative
Finally, any zero-trust initiative is not a one-time project but an ongoing initiative. Not only do organizations need to have patience and persistence in deploying the technology, but security teams need to revisit the plan and modify it as they face — and overcome — challenges.
“When thinking about starting on the zero-trust journey their guidance on starting with mapping data flows then segmenting them is spot on,” Winterfeld says, “but I would add that is often iterative as you will have a period of discovery that will require updating the plan.”