Miles SmithThe Cybersecurity and Infrastructure Security Agency has released new zero-trust guidance for agencies that are looking to stop hackers from moving laterally within their networks.
A zero-trust network is a security model that assumes no user or device, whether inside or outside the network, should be automatically trusted. The security model requires strict identity verification and access control for every user and device attempting to access resources.
CISA, a federal agency within the U.S. Department of Homeland Security, highlighted in a recent report the importance of microsegmentation, a security control that prevents a breach of one device or account from being used to spread malware, steal data and compromise accounts across an organization by limiting connections to a zone or segment.
The new guidance is the first in a “journey to zero trust” series that CISA is producing to help federal agencies and other organizations take next steps toward adopting the agency’s cybersecurity concept. It provides example scenarios and other considerations to help organizations plan for a phased approach.
The Biden administration initiated the government-wide push to the new cybersecurity architecture with a zero-trust strategy in January 2022. The Trump administration has largely continued those efforts.
CISA said traditional perimeter-focused architecture that uses IP address ranges and virtual local area networks is no longer effective in protecting enterprise resources from cyber intrusions and compromise.
Microsegmentation pools databases, servers and user devices into smaller groups, reducing the attack surface, limiting lateral movement and increasing visibility for better monitoring.
The guidance is geared toward non-technical management positions, according to CISA officials. The agency plans to follow up with a more technically-focused second guide.
CISA said many government and private-sector organizations made early investments in zero-trust network access tools. The new guidance was published to help organizations optimize their new tech investments and put them to work.
CISA said microsegmentation requires careful organizational planning. The new guidance helps balance the frictionless and smooth experience that many organizations have tried to create for intended users with applying technology that helps slow down adversaries and limit potential damage.
The document said it was best to take a phased approach to transitioning to microsegmentation and a zero-trust network.
Recommended steps include:
- Going through applications, workflows, data, assets and environments to prioritize resources for microsegmentation. Some organizations may prioritize microsegmenting easier resources and waiting until they are more experienced to address critical assets.
- Identifying any other applications, workflows, data, assets and environments needed to perform the business function. CISA said stakeholders should be included in this step.
- Investigating different segmentation options that enable resources to perform their business functions. The organization would then select the appropriate policy using organization-specific criteria (such as security, ease of implementation or ease of long-term maintenance).
- Testing proposed segmentation policies.
- Deploy the policy with appropriate visibility. CISA said the organization should provide public documentation of the changes and the current enforcement level, as well as a clearly defined channel for users to provide feedback and receive assistance.
Photo by Tima Miroshnichenko from Pexels
