Achieving CIS Critical Security Controls Through ZTNA

Widespread Adoption of the CIS Controls

The Center for Internet Security (CIS) Critical Security Controls is recognized as a gold standard cybersecurity framework, since being introduced in 2008 by the SANS Institute.

Thousands of security conscious organizations worldwide have adopted the CIS Controls, and the framework has been endorsed by such prominent security industry groups as the National Institute of Standards and Technology (NIST) and European Telecommunications Standards Institute (ETSI), among others.

Showing just how important CIS Controls have become to cybersecurity practitioners, it is the only framework referenced in the renowned Verizon Data Breach Investigations Report. Alongside the discussion of the most common breach types, the report articulates the specific Controls organizations should consider to mitigate those threats.

Practical, Actionable Guidance

The CIS Controls continue to be refined, with v8 representing the latest evolution of security best practices built for today’s threat landscape. The 18 Controls are subdivided into 153 Safeguards which provide pragmatic, actionable recommendations for improving an organization’s cybersecurity preparedness.

CIS also provides a useful breakdown of the Safeguards based on three Implementation Groups (IGs), which are aligned with an organization’s level of security maturity and need. While organizations in IG1 “have limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel,” those in IG3 have “security experts that specialize in the different facets of cybersecurity” and are subject to regulatory and compliance oversight.

Aligning Core ZTNA Principles with the CIS Controls

Although the 18 Controls span multiple security models and technologies, organizations that adopt a Zero Trust Network Access (ZTNA) approach can take a giant leap forward in their adoption journey.

The table below examines how ZTNA’s core principles align with the CIS Controls.

Core ZTNA PrincipleAlignment with CIS Controls
Never trust, always verify – any device. Any device attempting to connect to the network must meet minimum security requirements.Control 1: Inventory and Control of Hardware Assets
Never trust, always verify – any user. Users attempting to connect to the network must be authenticated via multiple factors based on identity and context.Control 5: Account Management
Control 6: Access Control Management
Least privilege access. Access to specific resources depends on the role and device of the user will not have access to the rest of the resources, and it will prevent the exposure of sensitive data and assets to everyone in the network.Control 3: Data Protection
Control 5: Account Management
Control 6: Access Control Management
Network segmentation. A security approach divides the network into multiple zones, defining granular and flexible security policies for distinct network segments.Control 12: Network Infrastructure Management
Continuous network monitoring. User activity should be monitored and logged.Control 8: Audit Log Management
Control 13: Network Monitoring and Defense

How Organizations Use Harmony SASE to Address CIS Controls

The robust network security capabilities built into the Harmony SASE platform enable organizations to accelerate their adoption of the CIS Controls. The platform satisfies more than 35 CIS Controls and Safeguards, in full or partially, as summarized below.

CIS Control   Summary of Harmony SASE CapabilitiesCIS Safeguards Supported    
Inventory and Control of Enterprise Assets●  Monitoring & reporting on managed devices
●  Device posture check
1.1, 1.2
Inventory and Control of Software Assets●  Determine access rules for on-prem & cloud applications
●  Identify the use of unauthorized apps
Limit app access to only authorized users
2.1, 2.3, 2.5
Data Protection●  Enable least privilege
●  Enforce disk encryption
●  Set up encrypted tunnels
3.3, 3.6, 3.10
Secure Configuration of Enterprise Assets and Software●  Cloud-based firewall
●  On-device agent
●  Private DNS configuration
4.4, 4.5, 4.9
Account Management●  User/admin inventory5.1
Access Control Management●  MFA support
●  Manage and report on role-based access
6.3-6.5, 6.8
Audit Log Management●  Logging of URL requests, network, device & admin activity, config & firewall changes
●  Log management and retention
8.1, 8.2, 8.5, 8.7, 8.10
Email and Web Browser Protections●  DNS, URL filtering9.2, 9.3
Malware Defenses●  Centrally managed malware protection & signature updates10.1, 10.2
Network Infrastructure Management●  Least privilege access
●  User authorization and network activity logs
●  Network traffic limited to secure protocols
●  Identity-based access rules & MFA support
●  256-bit AES encryption
●  Allows only authenticated connections
12.1-12.7
Network Monitoring and Defense●  Granular firewall and network policy rules
●  Identity-based access controls
●  Device security posture enforcement
●  Network traffic flow visualization
13.4-13.6, 13.9, 13.10

Learn More

Download our coverage matrix and head over to our CIS Controls page to learn more about how Harmony SASE helps address key controls and safeguards.