October 12, 2023 – Member meeting: Zero Trust Identity Access Management Roundtable – Using the CISA ZTA Maturity Model

Registration required: October 12, 2023, 7:00 pm – 9:00 pm Pacific Time

Your roundtable speakers:

**Garret Grajek, CEH, CISSP** CEO, YouAttest

**Robin Basham** (CEO, CISO) EnterpriseGRC Solutions, President, ISC2 East Bay Chapter

**Tim Prendergast –** Father of CSPM and CEO of StrongDM, The Destroyer of Legacy PAMs

**Sean Cordero** – Chief Information Security Officer (CISO), CISO Americas, Zscaler

Topic Summary:

Did you hear what happened in cybersecurity and Identity Access Management these last four weeks? Why do these events keep happening? (For example: Okta Cross-Tenant Impersonation Attacks) Who will AI and ChatGPT/FraudGPT help more, us, or the hackers?

Can CISA keep up? https://www.cisa.gov/

This week’s release of Identity and Access Management Recommended Best Practices for Administrators (defense.gov) barely addressed ZTA requirements. The document is great, but aside from referencing the Phishing resistance, the CISA Maturity Model for Advanced or Optimal IAM Pillar capability would not be met.

What you can expect from our table:

Sean and Robin speaking about recent CCM Working Group mapping from the Zero Trust Maturity Model | CISA and the Cloud Security Alliance (CSA) Cloud Controls Matrix CCM. Do the current assessments even measure the right things?

Asking Tim Prendergast how emerging companies rethink their enterprise architecture.

Asking Sean Cordero what mid and large enterprises are doing to remain out in front and competitive, speaking specifically about some of the Zscaler solutions.

Asking Garret Grajek if attestations should even allow manual review for access management.

Asking Robin Basham, how we lead exercises to advance the way we use ZTA maturity models to measure what didn’t exist when our current assessments were last released. Asking Garret, Tim and Sean to chime in about their experiences working with standards organizations and how far behind they all have been.

Do you have everything you need to achieve these milestones of IAM ZTA maturity?

Identity – Authentication – Advanced

Agency begins to authenticate all identity using phishing-resistant MFA and attributes, including initial implementation of password-less MFA via FIDO2 or PIV.

Reference: FIDO2 is a set of protocols developed in collaboration by the Fast IDentity Online (FIDO) Alliance and World Wide Web Consortium (W3C). FIDO2 is designed to enable easy, secure, and passwordless authentication. This approach leverages W3C’s WebAuthn protocol and the FIDO Alliance’s Client to Authenticator Protocol (CTAP) protocol.
FIDO Alliance. FIDO Alliance – Open Authentication Standards More Secure than Passwords. https://fidoalliance.org/.
World Wide Web Consortium. Web Authentication: An API for accessing Public Key Credentials. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/.
FIDO Alliance. Client to Authenticator Protocol. Proposed Standard, June 2021. https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html.
Reference: Personal Identity Verification. A PIV credential is a U.S. federal government-wide credential used to access federally controlled facilities and information systems at the appropriate security level. https://playbooks.idmanagement.gov/piv/.

Identity – Identity Stores – Advanced

Agency begins to securely consolidate and integrate some self-managed and hosted identity stores.
Identity – Risk Assessments – Advanced Agency determines identity risk with some automated analysis and dynamic rules to inform access decisions and response activities.

Identity – Access Management – Advanced

Agency authorizes need-based and session-based access, including for privileged access request, that is tailored to actions and resources.

Identity – Visibility and Analytics Capability – Advanced

Agency performs automated analysis across some user and entity activity log types and augments collection to address gaps in visibility.

Identity – Automation and Orchestration Capability – Advanced

Agency manually orchestrates privileged user identities and automates orchestration of all identities with integration across all environments.

Identity – Governance Capability – Advanced

Agency implements identity policies for enterprise-wide enforcement with automation and updates policies periodically.

CISA’s Zero Trust Maturity Model Version 2.0

CISA’s Zero Trust Maturity Model is one of many roadmaps that agencies can reference as they transition towards a zero trust architecture. The maturity model aims to assist agencies in the development of zero trust strategies and implementation plans and to present ways in which various CISA services can support zero trust solutions across agencies.

The maturity model, which includes five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. Within each pillar, the maturity model provides specific examples of traditional, initial, advanced, and optimal zero trust architectures.

Version 1.0 of the ZTMM opened for public comment in September 2021. The Response to Comments for Zero Trust Maturity Model summarizes the comments and modifications in response to version 1.0 feedback.

Version 2.0 incorporates alignment to OMB M-22-09, published in January 2022.

Click here for a downloadable version of the Zero Trust Maturity Model V2.0.