What It Will Take for NIST, CISA and OMB to Align on Zero Trust
Establishing a successful zero-trust architecture without implementing integrity monitoring is not possible.
At first glance, the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model and the Office of Management and Budget’s published memo titled “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles” appear to align with the National Institute of Standards and Technology’s guidance in establishing a zero trust architecture. However, a closer look into how each document prioritizes integrity creates confusion. While both acknowledge integrity monitoring in their guidance, neither fully embrace integrity as per NIST’s designation of “tenet.”
For federal authorities to align on a recommended approach to building and maintaining zero trust architectures, they must evolve their perspective on integrity, starting with NIST. Integrity is not just a “tenet” of zero trust; it must be the very foundation of every zero-trust architecture. This evolution can only take place with a clearer understanding of integrity’s role in today’s enterprise computing environment.
The Role of Integrity
According to NIST, “[Zero trust] is not a single architecture but a set of guiding principles for workflow, system design and operations.” NIST refers to these principles as the “tenets” of zero trust, and calls out the need for integrity monitoring as one of them in SP 800-207, “[t]he enterprise monitors and measures the integrity and security posture of all owned and associated assets.” In order to get a better understanding of the role that Integrity plays in zero trust, we need to better understand the term.
I think my colleague, Maurice Uenuma, explains it best when he says, “Integrity is both an organizing concept, as well as a more specific set of technical security controls, such as integrity monitoring, secure configuration management, etc.” Similarly, “risk management” is both a security concept as well as a specific set of tools or applications that mitigate risk. The term “integrity” can be used in the same way.
When we consider the role of integrity in the context of zero trust, it's important first to understand it as a concept, because whether or not we are able to identify the threats, reduce vulnerabilities or affect potential adversary behavior through deterrence, we need to be able to maintain a state of trustworthiness. Fundamentally, integrity is about ensuring and maintaining a known, trusted state. Applying integrity-based security controls should be viewed as the means by which we achieve and maintain that trusted state.
“Tenet” vs. “Foundation”
Integrity as a “tenet” or guiding principle of zero-trust architecture equates to the need to assess the integrity of everything in your environment. When applied, it is termed “integrity monitoring” or “change detection” which federal authorities, for the most part, support. Keep in mind that change in any environment is inevitable, but how that change is managed against the need to maintain system integrity is highly indicative of an organization’s security posture. Change isn’t inherently good or bad, but it should be viewed in the context of authorized or unauthorized, and specifically evaluated for its impact on the integrity of a given system. Zero trust is one of those systems.
Simply put, establishing a successful zero-trust architecture without implementing integrity monitoring is not possible.
How Federal Authorities Address Integrity
As a result of the administration’s effort to drive implementation of zero trust throughout the federal government with Executive Order 14028, federal authorities such as CISA and OMB drafted meaningful guidance for organizations to better understand their zero-trust maturity. With the initial guidance released for public comment, industry had an opportunity to weigh in which resulted in the following observations from my perspective on the importance of integrity.
While CISA acknowledges integrity by including the NIST tenets in its Zero Trust Maturity Model document, it does not fully embrace the meaning of the tenet in the maturity model itself. For example:
- The model’s Identity Pillar should explicitly include integrity monitoring for the identity provider configurations and the configurations of user access. With access configurations as a focal point for zero trust, these tools become the primary target for attackers. One cannot successfully deploy a zero-trust identity system without integrity monitoring.
- The model’s Device Pillar should include the functions of Security Posture and Change Management. These two functions are insufficiently discussed in the other functions, but are a core tenet of zero trust, particularly as they relate to devices.
- The model’s Network/Environment Pillar focuses only on the functions of the network in relation to zero trust, and does not address the need to secure the devices responsible for that function.
The OMB published memorandum does not similarly emphasize the role of integrity monitoring in zero trust. Integrity is only mentioned in reference to encrypting DNS traffic and validating log files.
In order for federal authorities to align on an agency’s best approach to zero trust, they must evolve their perspective on integrity. It cannot be viewed as it once was, simply as a component of the CIA Triad or a compliance tool that monitors file integrity. Integrity must be viewed as the basis for trust and the foundation of cybersecurity within an organization, especially in a zero-trust environment. All zero- trust guidance provided to agencies must highlight the importance of continually assessing the integrity of the architecture itself in order for a system to be considered trustworthy.
Tim Erlin is vice president of strategy for Tripwire.