Maryland Adopts Modular Zero Trust
Maryland is rolling out a new modular Zero Trust framework, dubbed an "architecture of trust," with an 18-month implementation phase. The approach allows agencies to tackle high-risk pillars like User & Identity first, a model that could inform DoD and commercial compliance playbooks.
The state’s new policy suite officially moves Maryland from a "trust but verify" stance to a "never trust, always verify" mindset, especially for high-value systems. This framework is aligned with NIST Cybersecurity Framework 2.0 and NIST 800-53 Rev. 5, establishing a new baseline for the state's 22 Cabinet agencies. Maryland's prioritization of the User & Identity pillar mirrors the Department of Defense's Zero Trust model, which also designates "User" as a foundational pillar. The DoD's strategy mandates a centralized Identity Provider (IdP), strong multi-factor authentication (MFA), and rigorous identity life-cycle management to ensure least-privilege access. For detection engineering in Splunk, this translates to building risk-based alerts that correlate authentication logs from IdPs with endpoint data. Specific detection rules should target anomalous behavior such as impossible travel, concurrent logins from different locations, and attempts to escalate privileges or modify critical group memberships. A compliance dashboard in Splunk can map directly to DoD controls by visualizing MFA enforcement across all accounts, tracking privileged access sessions, and assigning dynamic risk scores to users and devices. Integrating data from SIEMs allows for a holistic view of user activity, which is critical for continuous monitoring and authorization. Threat intelligence indicates a significant rise in identity-based attacks that exploit misconfigured Identity and Access Management (IAM) policies and chain together minor permission gaps to escalate privileges. Furthermore, attackers are increasingly exploiting public-facing applications, with a 44% surge in incidents where stolen credentials were not even required for initial access. In multi-client Splunk environments, strict Role-Based Access Control (RBAC) is essential to segregate data and enforce least-privilege for analysts. Configuring forwarders with `sslVerifyServerName` ensures they only send data to a verified indexer, aligning with the "never trust, always verify" principle at the infrastructure level. To demonstrate compliance, agencies can utilize emerging Zero Trust assessment tools, such as Microsoft's open-source PowerShell module. These automated tools can continuously test security configurations against Zero Trust best practices, identify gaps, and provide an actionable roadmap for remediation.
