Zero Trust Concepts & Audit Implications

Over the past several years, the concept of Zero Trust has transitioned from an industry buzzword to a pillar of information security. In this blog post, we will break down what zero trust means in the industry, what the pillars of zero trust are, and how zero trust concepts impact auditing activities and other factors in the world of governance, risk, and compliance.

What is Zero Trust? Beyond the Buzzword

The most direct definition of zero trust can be obtained from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, “Zero Trust Architecture”, which describes zero trust as providing “a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

Broken down into plain language, zero trust is driven by the principle of least privilege, which is defined by NIST as “The principle that a security architecture is designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function.” This creates an environment in which configurations, policies, and access controls are implemented in real time, all the time, and the least level of access necessary to perform an authorized function is granted.

Authoritative Sources for Zero Trust Guidance

The most practical set of guidance for most organizations can be found within the Zero Trust Maturity Model (ZTMM), of which version 2.0 was released in April 2023 by the Cybersecurity and Infrastructure Security Agency (CISA). CISA is a U.S. government agency focused on enhancing the nation’s cybersecurity and safeguarding its critical infrastructure. CISA was officially launched on November 16, 2018, when the Cybersecurity and Infrastructure Security Agency Act of 2018 was signed into law.

While the ZTMM is an excellent resource on its own, it’s important to understand that much of the basis for zero trust concepts was derived from a variety of other sources. Some of the primary sources for zero trust strategy and implementation include the Office of Management and Budget memorandum M-22-09, and NIST SP 800-207A, as well as the National Security Agency’s “Embracing Zero Trust Security Model”. The primary benefit of the ZTMM is that it consolidates the guidance from these various sources into a maturity-based roadmap document which guides organizations through the development and implementation of controls associated with zero trust concepts. Another excellent resource that also links to the Office of Management and Budget’s Federal Zero Trust Strategy is zerotrust.cyber.gov.

 

Source: CISA Zero Trust Maturity Model Document

Pillars of Zero Trust: The Basics

The implementation of zero trust goes far beyond basic ideas like deperimeterization – which in fact is not a fundamental aspect of zero trust since defense-in-depth is just as relevant in a zero trust architecture as it has ever been. First, we’ll take a look at the vertical segments of the zero trust architecture, then we will review the horizontal foundations of zero trust.

Identity

In information security, identity means the unique traits that set apart a person, system, or device in much the same way fingerprints, signatures, or other unique characteristics are able to provide accountability. Managing identities is crucial to security, making sure the right individuals or entities can access the right resources while stopping unauthorized access. Strong identity management is essential for an effective security program, helping organizations control access to important data, stop unauthorized entry, and keep a safe and compliant digital environment. As technology changes at a more rapid pace every day, managing identity and access remains a significant challenge for organizations to address.

Devices

From a security viewpoint, “devices” are tools, machines, or gadgets, either physical or virtual, that can link to a network or system. Examples are computers, smartphones, tablets, servers, and firewalls. It’s important to secure these devices to prevent unauthorized access and cyber threats in an increasingly connected threat landscape.

Networks

Networks are the interconnected, worldwide mesh that connects devices around the world, like computers, sharing information. Networks can be physical, located in one place, or virtual, connecting devices over the internet. Some networks can be segmented, or “air-gapped” so they have no direct access to the global internet. It’s important to secure networks to protect data during communication and prevent unauthorized access.

Applications & Workloads

These refer to the software programs and tasks running on a network, system, or cloud environment. In the context of zero trust, the standard is to distrust both external and internal sources, meaning that applications and workloads are not automatically trusted, even if they are running within the organization’s (physical or virtual) network.

Data

This includes all types of files, both organized and unorganized, that have been or are currently stored in systems, devices, networks, applications, databases, infrastructure, and backups. This also includes metadata associated with the data.

In addition to the basic pillars we’ve addressed, there are several foundational capabilities that support all of the pillars of zero trust across the model, which include:

• Visibility and Analytics – Visibility means looking at the things we can see in large business environments due to their features and events. Analyzing cyber-related data can assist in making policy decisions, supporting response activities, and creating a risk profile to establish security measures before any incidents happen.
• Automation and Orchestration – Automated workflows, tools, and logic to manage security response functions in products and services are essential to zero trust capabilities. It ensures oversight, security, and control over the development process for the processes and technologies across the zero trust spectrum.
• Governance – The NIST Cyber Security Framework defines governance as the “definition and associated enforcement of agency cybersecurity policies, procedures, and processes, within and across pillars, to manage an agency’s enterprise and mitigate security risks in support of zero trust principles and fulfillment of federal requirements.”

 

The Journey to Zero Trust Maturity

Even from a 30,000-foot view, the implementation of a robust zero trust architecture can appear daunting at least, and nearly impossible to some organizations. One way in which CISA’s guidance shines is the maturity roadmap which demonstrates a pathway between legacy controls and the advanced controls of an optimized zero trust environment. In this section, we will address the maturity levels identified within the zero trust maturity model. The examples provided are not intended to be all-inclusive, but present a broad overview of maturity for an example environment. By reviewing these levels it is possible to see how the goal is not simply deperimeterization, but the creation of many layers of security domains which collectively protect systems.

Level 1 – Traditional (The Ground Floor)

At this level, organizations may have weak (or even strong) control implementation across the spectrum of the pillars of zero trust, but the solutions are not integrated. Manual processes hinder the efficient and timely execution of vital control activities. Very low levels of segmentation leave entire swaths of the network vulnerable to pivoting, and access controls are highly static – which means that as organizational roles, responsibilities, and functions change, access controls are probably not keeping up. An asset inventory may exist, but is likely neither complete nor accurate.

Level 2 – Initial (Moving in the Right Direction)

With the initial zero trust concepts and control implementation underway, well-designed and effective identity management has been implemented, but there still may be a disconnect between user risk profiles and identity management. Assets are being actively tracked using a formal process, but the process is likely somewhat manual and not tracking assets in real time. There may be some segmentation and implementation of security domains, but it is done using broad approaches that do not authenticate users or systems dynamically. Some level of data classification has been implemented, but it is not fully integrated into access control systems.

Level 3 – Advanced (Solid Momentum)

At this point, robust identity management capabilities are in place and advanced MFA has been implemented on critical systems to secure the most critical assets. Most SaaS applications are leveraging a central identity provider and access grants/terminations are performed automatically based on employee or contractor status. Significant segmentation is in place, but there are still sections of the network that are considered “flat”. Robust implementation of encrypted protocols (i.e. SSH, TLS) is actively managed and monitored and context-based access rules have been implemented to achieve session-level protection. Data classification and tracking have been deployed for most systems, and a DLP utilizing static policies is in place.

Level 4 – Optimal (Continually Optimizing)

A truly robust information security program has been implemented, strong access control mechanisms are in place (i.e. MFA everywhere), and all SaaS applications are leveraging a central identity provider where appropriate. Continual endpoint monitoring and threat detection are in place and threats as well as alerts are actively managed as opposed to a highly responsive approach in lower levels. A very high degree of segmentation is in place, with a significant level of context-based access control implemented to provide only “as needed” or “when needed” access – when access is not required, it is not present. Immutable workloads are in place and a high degree of assurance is implemented using automated means. Data classification and inventory activities are fully automated and feed into the other pillars to inform access control, endpoint risk, network integrity as well as application security.

The key to reviewing these levels is to demonstrate that through incremental progress, organizations can implement robust zero-trust capabilities using a risk-based approach. In some cases, organizations may wish to focus more on endpoint controls, or more on network-based controls – this is perfectly reasonable as long as the decisions are well-informed using risk as the measuring stick.

 

Auditing & Assessment of Zero Trust Environments

The emergence and adoption of more zero trust capabilities have had a significant impact on the world of auditing. Changes in the industry, largely driven by the decentralization of the workplace, cloud migration, and technological advances have driven a need to continuously adapt and improve auditing techniques. So what questions should your auditor be asking you about your environment while looking at things through the lens of zero-trust architecture?

How Does Your Organization Actively Manage Its Inventories?

Automating the inventory management process and including not only endpoints, but also cloud resources, data stores, and other non-physical assets is one of the first steps in a quality zero-trust implementation. You cannot secure what you don’t have visibility of, so be prepared to talk about how you maintain visibility in your environment!

How Does the Organization Integrate HRIS Systems with Identity Management Systems?

Too often, we observe fundamental disconnects between the employee/contractor management process and the identity management practices of an organization. In many cases, when an employee separates, the memo never makes it to IT, or in some cases, because of shadow IT, the separated user has accounts with SaaS systems that IT doesn’t even know about. Integrating the HRIS platform with your identity provider (and automating the knowledge sharing between the two of them) is a critical first step. And then a logical next step is to combat SaaS sprawl and leverage SSO wherever possible to reduce gaps.

How Does the Organization Continually Apply Endpoint Hardening Capabilities & System Baselines (+ Monitor for Non-Compliance)?

In mature environments, we expect to see a high level of endpoint automation. Mobile device management, endpoint protection as well as complete integration with SIEM capabilities and automated response capabilities.

While these are only a few considerations, by working with an experienced audit firm, your organization will be able to develop control objectives and undergo a tailored audit experience focused on the needs of the organization. By tailoring control objectives to match the zero-trust capabilities implemented within the organization, organizations will be able to engage in higher-quality audits which can in turn provide a greater level of assurance regarding the implementation and validation of effective zero trust architecture implementation.

Conclusion

Elevate your information security posture with our expertise at Linford & Company, LLP. As former Big-4 auditors and experienced specialists in information security audits and assessments, we understand the critical importance of implementing and assessing a robust zero-trust framework to safeguard your organization’s critical assets.

Ready to take the next step in enhancing your security measures? Don’t wait until the next audit; be proactive in securing your data and building trust with business partners and customers. Reach out to us today, and let’s develop a roadmap for the assessment of your zero trust architecture. Whether in support of SOC 2, HITRUST, FedRAMP, ISO, HIPAA, CMMC, or any other regulation or framework, your resilient and secure future begins with a simple conversation.