Page 27 - Cyber Defense eMagazine September 2022
P. 27
Zero Trust Momentum
Seventy-six percent of respondents reported their agency had a formal zero trust plan in place or in the
works. Two-thirds said they will meet federal zero trust requirements on time or ahead of the fiscal year
(FY) 2024 deadline; another 21 percent will come close to meeting the requirements by then.
Approximately half of the respondents are building their zero trust implementation using CISA’s Zero
Trust Maturity Model, a roadmap to assist agencies in the development of their zero trust strategies and
implementation plans. This model is built around five core pillars: identity, device, network, application
workload, and data.
Using the pillars in the maturity model as a framework to assess maturity levels, most respondents
reported that they are either currently at a traditional or advanced maturity level; few have reached the
optimal level. Respondents are most mature in the data and identity pillars. Nearly all said their top future
investment priorities are device protection (92 percent) and cloud services (90 percent). Six in ten believe
they will be able to continuously run device posture assessments (e.g., using endpoint detection and
response tools) by the end of FY24.
Zero Trust Misconceptions
The survey results also identified some misconceptions about the benefits of zero trust, pointing to the
need for continued education about the concept and its implementation. For example, respondents said
the top benefit (57 percent) of a zero trust approach is that the right users have the right access to the
right resources at the right time, but only one quarter said granular data protection at rest and in transit
is a top benefit. In order to provide the right access to data and applications at the right time, agencies
must coordinate with internal stakeholders, other agencies, and non-governmental organizations to
provide the access that employees need. A granular data protection scheme is required.
Furthermore, less than half (42 percent) of respondents said a top benefit of zero trust is reduction in the
cyberattack surface. This is surprising, and it seems to reflect a fundamental misunderstanding of the
zero trust concept: Because users are only granted access to the applications and data they need, the
impact of any breach is limited. Essentially, micro-perimeters are created around each user’s resources;
attackers can only go so far.
Zero Trust Implementation Challenges
The survey also highlighted hurdles in the zero trust journey. More than half (58 percent) of respondents
said the biggest challenge to implementing zero trust is that existing legacy infrastructures must be rebuilt
or replaced. Many of these legacy systems rely on implicit trust, which allows bad actors to gain broad
access to agency systems following a breach.
Perhaps not surprisingly, 46 percent said costs are a concern. Replacing legacy systems will require
significant investment. At the same time, half of respondents said they are having trouble identifying what
technologies they need. This suggests that IT teams are not always collaborating closely with program
Cyber Defense eMagazine – September 2022 Edition 27
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.