Measuring Your Zero Trust Maturity

foreign

[Music] welcome this is going to be measuring your zero trust maturity thank you for coming out on such a dreary day and staying to almost the very end of the conference this will be worth it I'm Elizabeth schweinberg and I work at the centers for Medicare and Medicaid services so a little bit more about me and why you should listen so my official title is as a digital Services expert at the U.S digital service we help different federal agencies with their Digital Services most of my co-workers help work on websites and other types of services for the public but when I ended up at centers for Medicare and Medicaid services we call it CMS because we're in Maryland we're just in

Woodlawn on the other side of 695 we wanted to be one of the cool three-letter agencies um so I've been there about two and a half years and about a year and a half ago summer of 2021 I started leading their zero trust architecture so I'm a long time practitioner of digital forensics incident response and threat detection and I spent about a decade doing it in corporate environments when I made the transition to the digital service I became a zero trust architecture and a lot of that was because of my experience directly in the corporate world my companies I worked for had gone through zero trust Transformations and I was able to work with the corporate security

teams and really understand the fundamentals so what are we going to talk about today so I'm going to start with and overall what is zero trust we'll talk specifically about the sisa zero trust model maturity model how to apply zero trust to your environment how CMS measured our zero trust maturity which was super fun and give you some tips for creating your own framework and doing the next best thing so what is zero trust zero trust is a security model that emphasizes frequently verifying trust relationships you move from checking permissions at the perimeter to checking permissions as one moves throughout the system user starts with zero trust when you show up and as you collect more

information about the user you can choose whether to increase that trust or decrease that trust I like to think of it as trying to go to a professional sports ball game so this is a wonderful replica of Oriole Park at Camden Yards where the Beloved Maryland Baltimore Orioles play and when you show up to a game the first thing you do is you have to go through a bag check and a metal detector they want to make sure you're not bringing in anything untoward and that's similar to running anti-virus and EDR on our systems to make sure that they're healthy next up you're going to get your ticket scanned are you there for the right day the right time yes no

better come back a different time this is like your Authentication and then when you get to your section uh your ticket is going to get checked again to make sure you're in the right place you're not trying to sneak into the more expensive seats as you go throughout the stadium you might see other checks like if you go to a concession stand and try to buy an alcoholic beverage you're going to have to prove you're 21. if you are going to the club level there's a check just get up there because they've got fancy concessions and not just anybody can get them so um that's you know making sure that you have permissions to different systems

and applications as you try to do the job there are three popular zero trust Frameworks particularly if you are in the federal government the first one is the nist special publication 800 207 zero trust architecture and it uses seven tenants for you to think about as you are building your systems and they give three architecture approaches this one tends to be a little bit more Network Centric then there's the dod zero trust reference architecture they use Seven Pillars to describe an environment and within each pillar there are different functions there are three maturity levels and then lastly we have the sisa zero trust maturity model which has five pillars each with their own functions three cross-cutting functions and four

maturity levels all right now um so this is it in depth the Five Pillars are identity devices networks applications workloads and data so when I talk about a function what do I mean by that so if you have an identity system there are some things it needs to do to be an identity system we'll start with you need a list of your users some sort of user store you are going to need some authentication to be a good identity provider you're going to need some sort of risk assessment and some sort of privilege management so each of the Five Pillars have very specific functions you fulfill all those things and well most of those things and

you can do the job and in addition to those four functions for identity and across the line there are also three cross-cutting functions that each pillar must fulfill visibility and analytics Automation orchestration and governance so this is the main difference between the dod model and the sysazero trust model DOD gives visibility and analytics and automation orchestration their own pillars otherwise the other five pillars are the same just integrates them into each one calling out specific things that you need to have visible or be able to analyze and or automate and orchestrate and then as of April 10th after I had already made my draft of the slides ciso released version two of the maturity model where they went from

three levels to four levels originally it was just traditional Advanced optimal and now we have a new level initial which actually I fully support so traditional is just the way we've been doing security for the last 20 30 years there's going to be a lot of manual configurations the pillars don't really work together they're pretty siled any uh permissions would be set at provisioning and you're going to have limited visibility As you move into initial you're going to start to have automation maybe you um use some sort of gold image to provision your laptops every time so you don't have to go through and click knick-knack next next on your windows you're going to start seeing some cross

pillar integration one of the more popular things that I've seen is around device certificates and using those to enable network access so in gone are the days where anybody could walk up with a network cable plug into the wall get access to your corporate environment now it's going to ask for your device certificate if you don't have it maybe you get put on a special VLAN if you do have it great you can access the corporate Network you might start seeing time changes around permissions so I'm a system administrator sometimes I need to do really administrative things and it's going instead of letting me be the highest privilege all the time I can turn it on and after a set amount of

time it'll turn off and then we're also going to get aggregated visibility so this is where we centralize our logs because when you put all your logs in the same place you can find them later moving into advanced automation everywhere your policy enforcement is going to be integrated across all of your pillars you're not just going to do time-based enhancements or dehancements to your different privileges but maybe there will be changes based on risk or posture so if you are coming from your laptop your corporate laptop you can do one thing but if on your you're on your mobile phone maybe it's a bring your own device kind of situation maybe you can only access your email and

calendar and any serious data you don't have access to and then not only are we getting all of our logs on the same place we are also able to integrate the visibility of them then as we move into optimal we are fully automated just in time all sorts of all the pillars are talking to each other our permissions are dynamically set enterprise-wide and not just are we centralizing our information but we are also using it for situational awareness because um uh we can like look at the history of people and use that to inform us of what uh what is going on I'm going to preserve questions at the end so I was like sweet we got this maturity

model I'm going to take it and I'm going to compare it to our environment and we are going to know how mature we are and then we started trying to talk about this and we found some very interesting things zero trust looks different in different environments so to continue with the sports metaphor I talked about how things look when you go to um Camden Yards now let's say instead we were going to go to Pimlico and watch the horses race in a couple of weeks it is a very different setup you've got the inside the track view um uh you've got the big tall building you can sit in and there's different zones how people move between the zones

are different what you're allowed to bring into the horse uh well to Pimlico is different than what you can bring into Camden Yards the hats are different it's just a completely different environment that you really need to um think about differently so some of the specific things we found was one of the things was identity in different environments so when you're in your just talking about your Enterprise environment you're thinking about staff and contractors and how they use business applications sweet that's that's a little easier because you give them equipment you give them accounts they would like to get paid to do their job so they'll follow the rules As you move into your on-prem data

center now you have to think about your system administrators and the developers what are they allowed to access and how should they have to prove themselves plus now maybe you're developing software for the public or for business partners that changes what you can expect of them and then when you're using infrastructure as a service it's for identity it's going to be pretty similar to um on-prem data center you have to worry about this is admins and the developers as well as your users and then thinking about devices this is where it gets a little mind-blowing so Enterprise it's easy we're talking laptops mobile phones things we can touch things we can count throw in some printers probably some iot

for facility maintenance and you can eventually enumerate it all when we're talking about data centers we're talking about servers in racks and there are there well there should be processes for buying new servers and how to get them in your building and installed but they're big things you are you're going to be able to keep track of them also there's no physical server you're allowed to touch in infrastructure as a service but virtual machines are really just servers without the hardware and the containers are kind of like virtual machines but they're just really locked down so we started looking at these types of virtual assets virtual machines and containers as devices in this context and we actually explicitly leave out

um end user laptops and mobile phones because we have no control over them the general public they bring what they bring so those get no trust and then we can think better about how we're going to trust these the first version of this is a maturity model did not explicitly address virtual assets it does in V2 so we're like great this is going to be exciting so this is what we did to build out our own framework and while this is a very good slide to take a picture of at the very end of the presentation there is the link for where these slides are available on GitHub so you can go download your own copy and look at it

straight on so when we developed a framework you know seven easy steps pick an environment rewrite the maturity framework that works for your systems write some questions to help you determine where different systems will uh will match the levels for the pillars and functions get everybody to fill it out grade the questionnaire give feedback on the questionnaire and help them actually improve their zero trust maturity that's it so we started with our most popular infrastructure as a service provider um mostly because even though there are a lot of options in the cloud there's a finite number of services that one of these cloud service providers will give you unlike your own data centers where every team has chosen a

different database and maybe a different operating system and it's going to be a lot less homogeneous so we went with infrastructure as a service and that is where we got started so I'm going to go through a couple of examples specific pillars and functions and how we adjusted the levels and made them more specific so I don't actually expect you to be able to read this slide um uh each of the different parts are going to be available in the following slides so I started in identity because identity is so crucial to the foundation of zero trust and when we were talking about Authentication similar to what I mentioned a couple slides ago we realized that we want to

look at authentication and identity stores differently for developers and our end users because of that because of what we can control and versus what we can't we also made a third category of authentication and identity stores for apis because they too have a different way of authenticating so cisa starts by recommending for your traditional that maybe you use a username and password maybe use some light multi-factor authentication MFA and that's all you really take into account when you authenticate somebody awesome we're on board with this let's do it As you move into the initial phase you want everyone to be using multi-factor Authentication and you also want to start pulling in other attributes so this is where we started being able

to get a little bit more specific so we're able to say maybe your application can only be used if you are using sassy or a device signal is available so sassy secure access server Edge is a don't tell Z scalar I said this but it's a fancy VPN but it's a way to more specifically broker your network connections as we move into advanced we only want fishing resistant MFA available so 502 PIV maybe moving towards a passwordless MF well passwordless MFA seems a little strange to think about and we knew that we wanted to be incorporating more device level signals or additional perf and then here well we've already hit the max MFA but we're continually looking at our

authentication and when say an attribute of a user changes we re-evaluate the authentication so I don't know let's say your IP address changes in the middle of your session that's unusual so we should just do a real quick authentication and make sure everything else is still the same moving into devices I want to highlight governance um deploying MFA at any level can be a big lift and there's a lot of people to convince and you're going to have to buy some stuff but one of the places that is easier to get started is wrong governance so governance is basically what your policies are how you decided on them and how you enforce them so it's

the whole thing so when we talked about devices we really started thinking about device life cycle and in this case we are talking about device life cycle of virtual machines and containers so we were able to remove some of the language specific to physical devices in another part like it says sanitize here you don't sanitize a virtual machine that somebody else is running you just delete it and the company does the right thing um and we also specifically called out digital Assets in here as we move into initial we started setting some expectations you need to have written down your device lifecycle plan that is a great first step because until you know the process you can't automate

it and that's the the future steps so you have a documented device lifecycle plan you're implementing it manually you're doing some sort of monitoring and scanning of your devices that is automated say you're running a vulnerability scanner you take that information and then you do something with it and then we also called out routine patching initially you need to be doing at least monthly and then we also have a large um organization capital O within our cloud service provider and we have a team that supports making gold images so you should start using those um as we move into advanced your device life cycle plan we're starting to implement it automatically this is where our infrastructure as a

code comes in some of our CI CD continuous integration and continuous deployment really comes in we're using gold images everywhere are routine patching now happens at least every two weeks very strict and then our systems are able to tell us when a device policy is out of line because when you have a whole bunch of virtual machines and you've deployed them the same way and one of them looks weird that's where you need to go look and then an optimal everything's automated we left routine patching at two weeks because that's our current expectation in our organization and then not only are you able to know when something is not in compliance you're also able to Auto

remediate that device well probably look something like take it out of the pool for the application to use and maybe snapshot it and keep it somewhere safe until somebody can look at it and then the last one I'll go through is data data encryption the one of the maturity model actually in this section only talked about data at rest in the network section section rather they talked about data in transit but it's all been combined into one here so start pretty easy you only encrypt some of your data at rest or in transit and every team is doing something different about how they manage their keys as long as they're not checking them into GitHub

and then moving into initial your teams are encrypting all of your data at rest all of it in your infrastructure and service providers make it easy to encrypt things even if you are just using their key encryption systems it is better than leaving it unencrypted and then we put a parameter here that we are encrypting all data in transit outside of the um infrastructure as a service account so anything that leaves our little perimeter got to be encrypted and we're starting to talk about how we're handling our keys managing them and securing them moving into advanced now we're encrypting all of the data at rest all of the data in transit within and outside the

accounts and we have like real policies about how we handle our keys and then at the end we start getting into encrypting our data in use that's kind of the next Frontier that we're seeing it's still hard at this point um but I think I think we're going to start getting I think it's going to start getting easier in the next few years and then we're using similar processes enterprise-wide and we're doing really smart things with our keys so we're like sweet we've got this great maturity model and we had so much fun making it because we all really love talking about zero trust and Security in general so we're like how do we find out what

people's maturity is I know let's ask them so we set up some meetings with a few teams that I knew better and I was like Hey read these descriptions and tell us which one resonates with you so this wasn't this wasn't scalable each conversation was taking two and a half hours there were at least 100 teams we needed to talk to and it was fun the first five times but I could tell it was going to get tedious on our side um so we're like we need to scale this also if we were asking specific questions we'd get better answers that weren't so tied to I want to get an A on this or I want to

get an advanced or an optimal so we decided to go with survey questions but we can't call them surveys because surveys sound optional within the federal government when you want people to tell you things you make it a data call and then they think you're serious and you fill it out so we initially came up with like a 160 questions and we're like yeah nobody's gonna answer that so we got it down to 50 and here are some examples so we explicitly asked them what multi-factor authentication methods are available and they just take them off and then we can be like okay you're only using PIV and 502 awesome you're here anything else is over here

um same with multi-factor authentication that helps us differentiate between traditional and initial although the secret is we had already done all of this work before the new model came out so we're still grading it on traditional Advanced optimal maybe next year for devices for governance we focused on a device lifecycle plan and patching and we're starting off real easy do you have a device lifecycle plan yes no no that's a really easy area for you to improve in for patching we asked a lot we gave a lot more options partially because I wanted to see what the range was what are the options and um maybe we're able to stiffen up our maturity model um so somehow

got a bunch of teams to fill this out now we need to like tell them how they did and create some advice on how they can improve their zero trust maturity because our application teams really want to do this they want to be better they know there's an executive order they want to be compliant so that's exciting we need to harness this so we made everybody a little chart all of the pillars across the top their functions down the side each one got a score traditional Advanced optimal and an overall score and we we made them into numbers and then transferred them back there were a few things that we didn't ask enough questions for so they couldn't get

scores for them but that's on us not them and we also set the expectation that in order to increase your maturity for a specific pillar you just had to increase your maturity for any of the individual functions and even though the overall letter might not change uh we are still counting that as increased maturity we also ask them to focus on getting from traditional to Advanced to start because a lot of the things in optimal are really hard and are going to require some investment so everybody got one of those and that's exciting and then we started looking at what information do we need to put out so I looked at which functions have the

most room for improvement by just using Straight Up average scores lowest ones most room for improvement highest ones least room for improvement even though we're not writing Guidance just yet on the ones that have the least room for improvement I wanted to make sure that we gave ourselves Kudos like look this area already doing great we'll get back to it and then we also wanted to keep in mind what are things that teams can do themselves and what are things that are team running the infrastructures for service organization is going to need to do because those are going to be longer term problems and we wanted some things that people could do now so some of them

are easy write your device life cycle policy down I also wanted to look at the areas that were the most different my theory on that was if there is a high variance in scores there's not enough guidance in that area of what we want it to be doing and conversely if there's a low variance it probably means that we already have a strong standard for that function and that actually matches uh what what came out of it so we used just a simple standard deviation I'm not a data scientist if you are and have a better idea of how to measure this and I can do it in a spreadsheet let me know um so one of the things that had the

least variance was uh identity stores well the top two were identity stores and authentication for Developers because we're using a third-party system to broker our infrastructure as a service login accounts match it up with our internal active directory and almost everybody's using it so sweet we actually for that one specifically we're like are you using tool X to log in your developers they're like yes awesome we don't need to know answer any more questions we already know how it's set up um yeah and then we started putting these out on our Internal Documentation so first recap to Bring It full circle back to more baseball uh you just need to get a picture pick your environment tailor the

model create the questions ask the questions generate some scores and you've got yourself a home run so again these were the longer seven steps that will probably be easier to explain to your co-workers what we did or what you might want to do for this um and as a charge to inspire you we ended up with some 40 functions across all five pillars that's a lot of things to improve across a lot of applications and some parts of zero trust take a lot of time if you are going to be moving to passwordless authentication which by the way is awesome if you don't have a password how can it get fished right but that can take years to do you need

money you need you need Executive Suite level support deploying continuous Diagnostics and monitoring tools and endpoint detection response on every device also takes a while fully micro segmenting your network network great to do also requires a lot of time and buy-in real-time risk analytics a lot of time completely automated data inventory and tagging oof also more time uh have you seen the bills for any of the like infrastructures of service like machine learning tagging you're going to need more money um but there are some things you can do now with what you have and I firmly believe that incremental progress builds momentum so what is one thing that your organization can do to improve in each

pillar if you are using a centralized identity management service encourage teams to turn on additional multi-factor authentication options and then for the ones that have smaller user populations that you have more control over maybe turn some of them off make sure everyone has a device lifecycle plan and an explicit patching Cadence with exceptions for very important things add encryption to data in transit within your infrastructure accounts um that could be researching some service service mesh and mutual TLS options and there are also uh instructions out there I think for I would assume for each of the major providers to tell you how to encrypt your connections to their services so like from your VMS to your

database service encrypt that too keep your data safe you're going to want to standardize expectations for static application security testing and then make sure you have encryption at your for your data at rest in all your infrastructures and service accounts I forgot a huge point which was you might have noticed I didn't ask any questions about encryption that's because we're a federal agency and every quarter we have to tell our bosses how we're doing on that so I could go look it up so I didn't ask any questions they don't have to remember we also maybe use a tool from our um infrastructure provider that helps us check our configurations to find out whether or not they're in compliance so

we can also see which ones are encrypted and which ones are not uh yeah encrypt your stuff um it's not it's standard now and pretty easy to do and isn't going to cost you a lot extra so particularly your document store buckets that you could accidentally make public because encrypted ones accidentally made public way less of a breach than unencrypted ones so I have some time left excellent my contact information is up there unfortunately in order to email me at my work accounts you have to figure out how to spell my last name only my parents can email me and then my slides are available on my GitHub eshwine Dash usds decks it's my only public repo right now so

um yeah so the slides that are up there I would not recommend using with a screen reader but hopefully in the next couple of days I'll get those up and now I will take questions until they play me off oh so many hands I'm going to go way in the back first yep

oh that is a great question so um I'm sorry yes that is a great question the question was um you talk about the pillars and there are the three cross-cutting functions how were you looking at visibility and analytics across all of the pillars and one of the things we did in specific was the questions get repetitive real quick when you're like are you logging X how can you analyze X so we actually made a separate like visibility and analytics section and then had people check off like which areas they were looking at so um are you doing it for your virtual machines and containers are you doing it at your firewalls are you doing it

along the way so that is how we handled that I believe the next one was you sir

[Music]

did we use numerical scoring and uh visualization for executives yep did we weight things differently so we did some numeric scores um roughly traditional was a one advances to Optimal is three for the new system we're gonna push traditional down to zero initial will be one um and we haven't done a lot of reporting up words and we actually haven't done very much reporting um across like across many projects so we thought about doing a heat map but we kind of decided not to in this stage we might in a future version um and we did give numerical scores for the overall pillar score we also will graph it on a radiograph so each radiograph has more than two axes it'll

have a kind of like a spider web so you can get a better sense of like how much are you filling in make sense awesome and then in the front

yeah so the answer or the question was um for Behavior analytics which is a big part of how we do these things for things like probably identity are you uh I mentioned one in specific like location are they also doing um uh time of day and some other things and right now all of that is being done in our identity systems we only have a couple so we haven't really looked at exactly what's going on there and how to make it better partially because we need to do an upgrade but also it's hard and having come from a multi well couple different Giant multinationals what does time of days look like when somebody goes between the U.S and Europe

a lot it's a lot easier here because almost all of our employees are in the greater Baltimore area um yeah so we haven't gotten too much into the real analytics because I'm uh because we don't have those the right tools yet yeah sweet in the vest

okay did I work with any other agencies in developing this and are there any processes that are shareable uh we haven't yet worked with other agencies other than um what I do in one of my side quests but we are getting to that point now so centers for Medicare Medicaid services falls under HHS we have our own zero trust group so I'm starting to talk to them and CMS is one of the bigger agencies some of them are pretty tiny so I'm like hey let me double check like I will give you our process and tools the tool was a spreadsheet with some other spreadsheets um so yeah that is that is our next step

uh talking about it more and figuring out what the best way to transfer those knowledge is and then we'll do it for more infrastructure as a service providers because we've got two Cloud providers and it's gonna be a fun time

um

yes um so the question was when you were coming up with a questionnaire are you also working with Auditors to confirm that these answers that is our end goal uh particularly with the cloud the cloud providers write down everything you do so they can charge you for it um so we should be using that data and that is um that is our goal our end goal to make sure that we are collecting it and can calculate it but we did need to do it by hand first so um yeah yeah so that's going to be very exciting we did work with a survey design well a designer who also knew something about survey design which was actually really great

for like mediating conflict between the different Security Experts and like what we should ask and making sure that our sentences were understandable by people who aren't really into zero trust anything else I think we might be almost out of time

yeah what are one or two things that are slowing people down in progressing in their maturity um I mean the biggest one I think is particularly because we're a federal agency is going to be money a lot of these things cost money and um were the budget for 2024 is already set so I hope we thought of this a couple months ago um one of the other the other biggest thing is just knowing what to do and having somebody else help prioritize it so one of our bigger systems had an external contractor come in and do a similar type of assessment and I'm like that's great because they need somebody who can really like sit and look and talk to them and this

can give you an overall picture and be able to point out like here start here put it in this quarter's roadmap put some other things in the next quarter and we will do our part and get our Cloud organization to do some of the heavy lifting awesome okay uh there are zero trust maturity stickers up front happy to talk if you would like a physical copy of my contact information I can do that too thank you so much and enjoy the rest of your day [Applause]