As part of the race, cloud adoption has continued to accelerate across the enterprise. But despite its growth, the trends show many IT and security leaders are still not confident in their organization’s ability to ensure secure cloud access due to ever-evolving cybersecurity risks. 

The anxieties over ransomware threats are so high that 74% of IT decision-makers believe ransomware should be considered a matter of national security. While GuidePoint Research and Intelligence Team’s (GRIT) newly released quarterly ransomware threat report — which revealed ransomware victims decreased by 34% in Q2 from Q1 — might look like a reprieve, it doesn’t reduce the threat of the rising ransomware-as-a-service (RaaS) sector by any means.

In Sophos’ State of Ransomware 2022 Report, 60% of organizations were victims of ransomware attacks last year. The reality is apparent: Ransomware is still cybersecurity’s biggest challenge.

As the enterprise continues to get hit by ransomware attacks with increasing complexities, the Cybersecurity and Infrastructure Security Agency (CISA) has announced plans to release a new version of its Zero Trust Maturity Model. 

Ahead of its slated summer release date, Eric Goldstein, CISA’s executive assistant director for cybersecurity, detailed the Zero Trust Maturity Model 2.0 document. Goldstein told VentureBeat that zero trust is so crucial because adversaries are evolving daily, and warned that any assumptions perimeter defenses would withstand attacks won’t succeed.

Zero trust: The desired model for security

CISA wants to make the Zero Trust Maturity Model 2.0 an evolving document — one that will undergo continuous updates in a fast-paced cybersecurity landscape that’s constantly changing. The model aims to prevent unauthorized access to data and services and make access control enforcement as granular as possible.

Zero trust offers a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time. This shift provides the visibility needed to support the development, implementation, enforcement and evolution of security policies.

Perhaps the most critical thing about zero trust is that it may require changing an organization’s entire philosophy and culture around cybersecurity. Created by Executive Order 14028, titled: Improving the Nation’s Cybersecurity, it marks a renewed commitment to prioritizing federal cybersecurity modernization and strategy.

Among other policy mandates, the Executive Order embraces zero trust as the desired model for security and tasks CISA with modernizing its current cybersecurity programs, services and capabilities to be fully functional with zero-trust architecture cloud-computing environments.

“We have to move to a new model that we call the ‘zero trust,’ which focuses on ensuring that we’re authenticating every user before they get access to applications and data,” said Goldstein.     

The Zero Trust Maturity Model represents a gradient of implementation across five distinct pillars: identity, device, network, application workload and data. Each pillar also includes general details regarding visibility and analytics, automation and orchestration, and governance. While the Zero Trust Maturity Model is one of many critical paths to support the transition to zero trust, Goldstein noted that it still has a long way to go.

“For many organizations, it’s a tough journey to get from where we are today to that end-state where you have solid privilege management, identity management authentication across the whole environment, particularly if you’re an organization running a lot of legacy on-premises infrastructure,” he said.

While that might be a long process, the objective of the Zero Trust Maturity Model, Goldstein said, is to help organizations make thoughtful, linear progress toward achieving a zero-trust philosophy.

An evolving philosophy

Goldstein noted that the new version of the Zero Trust Maturity Model would be more efficient, adding that it’ll not only be better, but will also be a living, evolving document that takes in feedback and is never-ending. 

“That was the purpose of the Zero Trust Maturity Model that we at CISA released last year,” Goldstein said. “But we know this is new work, and figuring out how we define the maturity categories and the pieces they’re in will evolve. We got over 300 comments on version 1 of our Zero Trust Maturity Model, so we’re working on version two this summer.”

However, Goldstein added, “we may never say we are completely done with the maturity model” noting this is because it will be an evolving security philosophy. 

“As organizations put it into practice, we’re going to keep getting feedback and learning and evolving the guidance we’re putting out to what’s most effective for entities worldwide,” he said.