Kathleen Moriarty

Prioritising a Zero Trust Journey Using CIS Controls v8

Kathleen Moriarty

5 min read

7 You have liked this article 0 times.
0

The Center for Internet Security (CIS) recently published an updated version of the CIS Controls. CIS Controls v8 helps organisations break the zero trust journey down into achievable steps that are prioritised in a meaningful way.


Zero trust improves the security of IT environments as demonstrated over time by reduced attacker dwell time. The challenge many people face is understanding where to begin.

If you look at a particular vendor’s zero trust-aligned products, you may think of zero trust as being specific to their product set, whether it be identity and access management, microservices, or some other technology-specific solution. Zero trust has evolved, however, and the best description of it today, in my opinion, is the NIST Special Publication 800-207 on Zero Trust Architecture:

An operative definition of zero trust and zero trust architecture is as follows:
Zero trust (ZT) provides a collection of concepts and ideas designed to minimise uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilises zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

Zero trust architectures are not only comprehensive, but also granular. We’ve moved from the zero trust definitions of a decade ago that provide isolation between applications with networking controls, to a model where isolation is at a component level within an application. Additionally, all of the tenets of zero trust apply at that granular level.

Zero Trust: Moving Security in the Right Direction

The pervasiveness of zero trust may seem overwhelming, on two points. First, if I can’t manage what I have today, how do I support zero trust? And second, how do I begin a zero trust journey?

The good news is that zero trust gives us a pivot point. We are transitioning to a new architectural model that positions security controls and management at the endpoint. Due to the use of pervasive encryption, we have an opportunity to build in security with management patterns that scale. Vendors following zero trust will provide an assurance that their products and the modules in their products meet expectations and are automatically verifiable. While this is not available today, zero trust is moving security in this direction.

Easier Detection of Unexpected Behaviours

This type of transformation builds in security and provides an opportunity for organisations to select a scalable model that reduces resource needs. If security is built in by the vendor and verified automatically, we can also begin to shift to allow list approaches that enable easier detection of unexpected behaviours. In other words, you can prevent and detect attacks from allow list approaches. This is instead of relying on products that compare artefacts and behaviours to known bad lists or deny lists after the fact.

This transition is supported by the recent Cybersecurity Executive Order published in May 2021. It will take time, but it can happen. A focus on how to scale management should be a consideration for vendors and consumers in their product selection as we make this transition. While that’s great, it sounds far off. What can organisations do today?

Prioritise Initiatives with CIS Controls v8 on Your Zero Trust Journey

The Center for Internet Security (CIS) recently published an updated version of the CIS Controls (version 8). This new version refined previous recommendations. It adjusted prioritisations of some Controls and Safeguards based on expert consensus and validated by current threats to have the most impact in reducing risk.

Within each of the 18 Controls, there is a set of Safeguards. The Safeguards comprise the more fine-grained recommendations to address the associated threats for that Control. Each Safeguard is categorised into one of three Implementation Groups (IGs), providing the prioritised recommendations that span the 18 CIS Controls. Controls v8 supports a zero trust architecture, while also aligning to the recommendations for built-in security, pervasive encryption, allow-list functionality, and supply chain security risk reduction called out specifically in the Cybersecurity Executive Order published in May 2021.

A Great Starting Point for Your Zero Trust Journey

If you are looking for a starting point on your zero trust journey, consider using the CIS Controls v8 to prioritise your journey and have the greatest impact on risk reduction based on current threats. By breaking the journey down into achievable steps, an organisation can make progress in the journey while being assured that the steps taken are prioritised in a meaningful way.

The CIS Community Defense Model process to validate the Controls and Safeguards prioritisation found that IG1 addresses the top five attacks from the Verizon Data Breach Report. The prioritisation is based on a complex assessment of threats from numerous breach reports. This includes Multi-State Information Sharing and Analysis Center (MS-ISAC) data.

CIS Controls v8 Mapping to NIST SP 800-207 Zero Trust Tenets

The chart included below describes the mapping of CIS Controls v8 as they align to the NIST SP 800-207 Zero Trust Tenets.

7 You have liked this article 0 times.
0

You may also like

View more

About the author

Kathleen Moriarty, technology strategist and board advisor, helping companies lead through disruption. Adjunct Professor at Georgetown SCS, also offering two corporate courses on Security Architecture and Architecture for the SMB Market. Formerly as the Chief Technology Officer, Center for Internet Security Kathleen defined and led the technology strategy, integrating emerging technologies. Prior to CIS, Kathleen held a range of positions over 13 years at Dell Technologies, including the Security Innovations Principal in Dell Technologies Office of the CTO and Global Lead Security Architect for EMC Office of the CTO working on ecosystems, standards, risk management and strategy. In her early days with RSA/EMC, she led consulting engagements interfacing with hundreds of organisations on security and risk management, gaining valuable insights, managing risk to business needs. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS. Keynote speaker, podcast guest, frequent blogger bridging a translation gap for technical content, conference committee member, and quoted on publications such as CNBC and Wired. Kathleen achieved over twenty five years of experience driving positive outcomes across Information Technology Leadership, short and long-term IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College. Published Work: - Transforming Information Security: Optimizing Five Concurrent Trends to Reduce Resource Drain, July 2020.

Comments 0