Apr 14 2023

How Many Zero Trust Pillars Are There, Really (and Where to Start)?

The number doesn’t matter as much as the ones agencies choose to use.

The number of pillars in a zero-trust security model varies depending on whom you ask, with federal guidance asserting there are five and industry as many as seven.

The second version of the Zero Trust Maturity Model released by the Cybersecurity and Infrastructure Security Agency on April 11 lists five pillars:

  1. Identity
  2. Devices
  3. Networks
  4. Applications and Workloads
  5. Data

However, the ZTMM also identifies three “cross-cutting capabilities,” the first two of which some companies consider zero-trust pillars, which would bring the total to seven.

  1. Visibility and Analytics
  2. Automation and Orchestration
  3. Governance

Considering the number of pillars aren’t even agreed upon, it’s understandable that some federal IT and cyber leaders lack confidence in their agencies’ skills to assess the security requirements for every zero-trust pillar. In the end, though, security experts say the number of pillars isn’t as important as settling on the ones an agency will use.

“You have to decide, ‘Am I in the five-pillar camp of zero trust, or am I in the seven-pillar camp of zero trust?’” said retired Air Force Maj. Gen. Earl Matthews, vice president of strategy at Mandiant, at the Rocky Mountain Cyberspace Symposium in February. “It doesn’t matter if one is better than the other. Pick which pillars of trust you’re going to implement, and then stick to that as you go along.”

Click here to learn more about zero-trust and IT modernization within the government.

ZT Sidebar


When It Comes to Zero-Trust Pillars, Less Is More

The beauty of CISA’s ZTMM is that agencies aren’t expected to achieve dynamic or real-time zero trust for every pillar, says Jim Richberg, public sector CISO and vice president of information security at Fortinet.

Instead, agencies determine their needs based on their missions and assets.

“I'm always a less-is-more guy,” Richberg says. “The fewer variables and priorities I have to keep track of, the better.”

There’s a temptation to separate compute resources within their own pillar, but that just overcomplicates things for agencies. Zero trust is about cyber resilience — absorbing attacks and limiting their ability to spread — not perfection, Richberg adds.

EXPLORE: What agencies should know about establishing zero trust in a hybrid work environment.

Identity Is the First Pillar for a Reason

It isn’t an accident that identity is furthest to the left in CISA’s diagram of ZTMM .

“It's pillar one for a reason, and typically it's because nothing happens until somebody requests access to a piece of data,” says Sean Frazier, federal chief security officer at Okta. “When you request access to a piece of data, you've got to log in to something, so it's super important.”

An agency that can’t validate the users and devices on its network can’t secure operations.

The government finds itself at an inflection point: Having spent the past 20 years validating identities with Common Access Cards and Personal Identity Verification cards, it is now in the process of modernizing. That dovetails nicely with zero-trust security, which aims to let any user access any data anywhere — provided they have permission, Frazier says.

A decade ago, federal employees largely came into the office, plugged their PIV card into their computers and did their work. Today, the “new world order” sees them accessing their agency’s network from home, airplanes or the corner coffee shop, Frazier says.

“Most of the times when the bad guys get in, it’s because they've done something where they’ve gotten someone’s credential. Either they guessed someone’s password or they bought someone’s password in a big database of passwords,” he adds. “One of the things that the identity pillar of zero trust shores up is making sure you’re using strong, phishing-resistant multifactor authentication.”

A bigger challenge for agencies is figuring out how to adapt their existing identity, credential and access management, he adds. The National Institute of Standards and Technology is currently working on its draft Digital Identity Guidelines, which will align existing ICAM with modern Fast Identity Online 2 (FIDO2) and WebAuthn authentication standards.

Identity proofing presents a good starting point for modernization because the in-person PIV card issuance process doesn’t lend itself to the current economy, Frazier says.

“Are you going to fly that person to D.C. to go through that process, or can they do it remotely from, say, Minneapolis?” he asks.

As for authentication, a strong single sign-on must be ubiquitous across applications — no matter how many an agency has, Frazier says.

Click the banner below to receive featured cybersecurity content by becoming an Insider.

Start Thinking of ICAM as Critical Infrastructure (Because It Is)

Agencies have started to consider ICAM solutions as critical infrastructure, which requires a higher assurance level. That’s why companies like Okta began pursuing the Federal Risk and Authorization Management Program’s high impact level authorization — for protecting the government’s most sensitive unclassified data in cloud environments — which it obtained in March.

The reason for the critical infrastructure designation is twofold, Frazier says.

First, an agency’s ICAM solution is essentially its “front door,” the first line of defense against attackers, he says. While getting through the front door won’t grant an attacker unfettered access to all of the agency’s data, it will make it a lot easier for them to navigate the network.

Second, the ICAM solution is a user’s first interaction with an agency’s service, and that customer experience should be a secure, crisp two clicks in 10 seconds, Frazier says.

LEARN MORE: Why the DOD is looking to adopt zero-trust security architectures faster.

Other Zero-Trust Pillars Still Matter

Because agencies are on different technology migration and update paths, there’s no one-size-fits-all approach to addressing other zero-trust pillars, but it still needs to happen, Richberg says.

CISA’s ZTMM is handy because it presents agencies with three stages of maturity for each pillar: initial, advanced and optimal (or, as Richberg refers to them, crawl, walk and run). Flagging the pillars where an agency is least mature might help it realize it needs to prioritize data security, even if that wasn’t on the agency’s modernization roadmap.

Agencies also need to recognize that achieving optimal maturity might not be necessary for every pillar, depending on the mission, Richberg says.

“You’ve got to figure out, ‘What are my assets that I care about? What are the risks to them?’” he says. “And they may point you in the direction of one pillar more than the others.”

DIVE DEEPER: Follow these best practices to protect data via a zero-trust architecture.

Don’t Reinvent the Wheel, Deploy Solutions Addressing Multiple Pillars

Frazier expects the bulk of agencies’ work to implement their zero-trust architectures will occur in the next year, even if it’s mostly focused on the identity pillar. Already this year, agencies are pushing back on deadlines they perceive to be aggressive, which is why he encourages them to determine whether they have existing technologies in place that work within a zero-trust framework.

Additionally, Richberg recommends agencies identify where a single technology procurement might help them make progress on multiple pillars.

“Increasingly in security, new devices are not only more powerful, they frequently do the functions of multiple legacy devices,” Richberg says. “You may be able to buy one thing that does both identity management and access control, and some network segmentation too. That's a smarter way to spend money.”

Regardless of the approach agencies take, integrating multiple solutions into a zero-trust architecture won’t be easy, Frazier says.

Agencies need to pick a technology partner, whether an integrator or another type of company, that will embark on their zero-trust journey with them.

“Look for the people who will roll their sleeves up and not try to sell you something but actually just work with you to make sure you have a mapped-out journey,” Frazier says. “Because you're not going to be able to wave a wand and, all of a sudden, magically your entire infrastructure is modernizing.”

Image by Staff Artist

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT