NSA: Time for cybersecurity to grow up — zero-trust maturity in the network

The United States National Security Agency (NSA) has been issuing periodic guidance documents, called cybersecurity information sheets (CSI) describing best practices and frameworks for achieving specific security goals. 

The purpose of these documents is to assist government agencies and contractors in fulfilling the objectives of the National Cybersecurity Strategy issued by the White House in March 2023. However, as stated under the heading of “Audience” in the NSA CSI we’ll be looking at here, “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar,”

This CSI provides guidance primarily intended for National Security Systems (NSS), the Department of Defense (DoD), and the Defense Industrial Base (DIB). However, it may be useful for owners and operators of other systems that might be targeted by sophisticated malicious actors.

And since “sophisticated malicious actors” are targeting just about any system they can find, it will be useful to pretty much anyone in a cybersecurity leadership role. 

The seven pillars of zero trust maturity

The NSA and various partner organizations identify seven “pillars of zero trust.” The NSA is in the process of publishing a CSI for each pillar. The pillars are:

• User: Continually authenticate, assess, and monitor user activity patterns to govern users’ access and privileges while protecting and securing all interactions.

• Device: Understand the health and status of devices to inform risk decisions. Real time inspection, assessment, and patching informs every access request.

• Application and Workload: Secure everything from applications to hypervisors, to include the protection of containers and virtual machines.

• Data: Data transparency and visibility is enabled and secured by enterprise infrastructure, applications, standards, robust end-to-end encryption, and data tagging.

• Network and Environment: Segment, isolate, and control (physically and logically) the network environment with granular policy and access controls.

• Automation and Orchestration: Automate security response based on defined processes and security policies enabled by AI, e.g., blocking actions or forcing remediation based on intelligent decisions.

• Visibility and Analytics: Analyze events, activities, and behaviors to derive context and apply AI/ML to achieve a highly personalized model that improves detection and reaction time in making real-time access decisions.

The idea is that organizations should aim to implement and continually update zero-trust controls across all seven pillars in order to achieve optimal security against those sophisticated malicious actors—and minimize the risk of potentially very costly breaches and data thefts.

Zero Trust for the Network and Environment pillar

The Introduction to the Network and Environment (N&E) pillar CSI describes an example of a devastating data breach that could have been avoided by the implementation of zero trust practices. 

In brief, criminals acquired login credentials for an HVAC company that provided services to a major retailer. To monitor their client’s HVAC system, this company had been given credentials to access the client network. The criminals were therefore able to do the same. And, since the retailer lacked proper segmentation and access-control policies, they then loaded malware onto the retailer’s POS system and stole information for about 40 million debit and credit cards.

The Introduction continues:

Traditional network security has emphasized a defense-in-depth approach; however, most networks invest primarily in perimeter defense. Once inside the network perimeter, end users, applications, and other entities are often given broad access to multiple corporate resources. If network users or components are compromised, malicious actors can gain access to critical resources from inside or outside the network. Ideally, organizations should manage, monitor, and restrict both internal and external traffic flows.

In other words, it’s critical to recognize that perimeter defense is inadequate on its own. Or, more bluntly, it’s time for cybersecurity pros to grow up and start taking defense-in-depth seriously.

The remainder of the ICS provides detailed explanations of how to prepare for, and achieve basic, intermediate, and advanced maturity, in four different aspects of network and environment zero-trust security:

• Data flow mapping—Identifies the route data travels within an organization and describes how that data transforms from one location or application to another.

• Macro segmentation—Provides high-level control over traffic moving between various areas of an organization’s network by breaking up a network into multiple discrete components with each supporting a different security requirement.

• Micro segmentation—Provides security at a granular level by breaking down a portion of the network into smaller components to limit how data flows laterally through strict access policies. 

• Software Defined Networking—Offers unique advantages in terms of granularity through micro segmentation, adaptability, and centralized policy management. Integrating SDN components into existing infrastructure also can enable customizable security monitoring and alerting.

How Barracuda can help

Unless you are way ahead of the curve on implementing zero trust across the seven pillars, I highly recommend that you get your hands on the “Advancing Zero Trust Maturity” ICSs that NSA is releasing. They’re clear and concise, and they provide a valuable, manageable roadmap to achieving mature zero-trust security in each of the pillars.

For zero trust in the network and environment pillar, Barracuda SecureEdge can greatly accelerate your progress along that roadmap. It’s our advanced Secure Access Service Edge (SASE) platform, and it integrates a variety of capabilities—advanced firewall-as-a-service, zero-trust access controls, data-flow visibility and control, SD-WAN connectivity, and more—that make it extraordinarily simple to achieve and maintain over time all four aspects of security as described in the NSA ICS.