CISA Seeks Industry Input on Applying Zero Trust Principles to Enterprise Mobility

The Cybersecurity and Infrastructure Security Agency (CISA) recently released a draft publication, Applying Zero Trust Principles to Enterprise Mobility, its latest effort to support federal agencies and other organizations on their transition toward zero trust (ZT), specifically for secure mobility. The CISA publication comes just week after a late January memorandum from the Office of Management and Budget (OMB) which put federal agencies on the path to zero trust cybersecurity by the end of fiscal year (FY) 2024. Per OMB, agencies will need to internally fund their zero trust efforts or seek Technology Modernization Fund (TMF) help until the fiscal year 2024 budget cycle.

Both the latest CISA publication and the OMB directive build upon provisions in the White House’s May 2021 Cybersecurity Executive Order 14028, which gave agencies 60 days from then to develop their plans for implementing zero trust architectures (ZTA).

Applying Zero Trust Principles to Enterprise Mobility

CISA released their zero trust maturity model last September, structured using five complementary areas of effort (pillars) – Identity, Devices, Networks, Applications and Workloads, and Data – and with three cross-cutting themes – Visibility and Analytics, Automation and Orchestration, and Governance.

In this latest document CISA notes that while they outline both ZTA principles and currently available mobile security technologies and techniques, “these are high-level and are offered to convey how these available mobile security tools can be applied towards organizational ZT goals. Hence the material presented is not intended to be an implementation guide for either ZT or Enterprise Mobility.” Nevertheless, the high-level guidance does provide some “handles” which agencies may grasp in their pursuit of ZT for mobility.

One helpful element that CISA includes is a Mobile Security Capability Mapping which presents how existing mobile security technologies can be applied within CISA’s five ZT pillars and advance the three cross-cutting ZT capabilities. CISA’s mapping includes:

• Identity: Identity provisioning for mobile device users relies on an enterprise’s Identity, Credential, and Access Management (ICAM) system(s). Mobile devices allow for multi-factor authentication (MFA). Mobile Device Management (MDM) functions can enforce role-based access control and attribute-based access control. Access to data may be based on security policy and the sensitivity level mandated by the source (data owner). Continuous authentication may also be mandated by the data owner on the level of persistence of access session.
• Devices: Most of these principles are inherently complied with by the appropriately configured mobile devices. Real-time attestation is facilitated by the use of Mobile Threat Defense (MTD) solutions, which may rely on the device’s Trusted Platform Module (TPM), Secure Element and/or its Trusted Execution Environment (TEE) technology. Real-time attestation may be usage-dependent. There should be considerations for disconnected state.
• Networks: Per-app Virtual Private Networks (VPNs) may be enabled on a mobile device. Always-on VPNs are device-to-site rather than device-to-apps or data, and do not align with ZT concepts to prevent lateral movement. Hardware isolation and apps/data containerization facilitate needed segmentation. Certificate-based traffic encryption is available through mobile operating systems. Controlled privileged access would be app-dependent.
• Applications and Workloads: Mobile apps are generally containerized (microsegmented) and are restricted to only authorized data sharing. Mobile Application Management (MAM) systems and appstore approvals mandate security during app development. Mobile App Vetting (MAV) security testing solutions may be configured to check that both enterprise-developed apps and apps available through operating system (OS) vendor appstores comply with organizational policies to include protections against supply chain vulnerabilities.
• Data: Mobile devices by default enforce encryption of data at rest and in transit for management control. Enterprise apps that are thin clients may have less restrictive control of the on-device data, however Enterprise Mobility Management (EMM) mobile content management features may still provide sufficient protection. Data tagging and Data Loss Prevention (DLP) techniques may present challenges that may not be specific to mobile devices.
• Visibility and Analytics: Mobile visibility is limited by the device’s network connectivity. Therefore, EMM agents are installed to report back device security posture/policy compliance status and other needed information. An MTD agent may be configured to log a set of events; upon the resumption of network connectivity, log data may be transferred to an MDM and/or another logging server for further analysis.
• Automation and Orchestration: MTDs provide a level of automation of security control actions that may be coordinated with an EMM for enforcement. Limitations are a function of the level of integration between an EMM and external Security Information and Event Management (SIEM) systems.
• Governance: EMMs and MTDs are key to enforcing technical policies including data protection. MAMs and MAVs can be configured to adapt to organization-specific policies for development and test and evaluation processes.

CISA concludes that this mapping can be used as guidance to conduct an enterprise maturity assessment towards developing an agency-specific roadmap for reaching a desired state of ZT.

According to CISA’s announcement, the public comment period for this publication will close April 18, 2022.