Using automated workflows to reach zero trust goals faster

Last updated on

Written by Dennis Perrone

In an ideal approach to zero trust, in which every user and device must continually prove their identity, automation is more than a useful tool, it’s essential to your federal agency’s success. You don’t need to take our word for it - security automation and orchestration is mandated by M-22-09 and M-21-31, and forms an integral part of the framework in CISA’s ZTMM (zero trust maturity model).

The message from the government and security experts alike is clear - without automation, there is no zero trust. 

There are lots of areas where automation can come into play — I think we’re going to fail if we don’t automate as we implement zero trust.


The stakes are high for agencies that have yet to implement or leverage the full potential of automation. While it’s true that CISA recommends a “gradual evolution” to zero trust, automation is listed as one of the first steps. But that doesn’t mean you have to start automating overnight. It’s important to spend some time defining your automation strategy and finding the right tools to help you execute it. 

So, what exactly does the government say about security automation and orchestration? How can federal agencies use automation to take meaningful strides toward improving their security posture? And what kind of capabilities do security orchestration, automation, and response (SOAR) platforms need to comply with regulations? In this post, we’ll find out.

The role of automation and orchestration in zero trust 

Zero trust and automation are inextricably linked. In zero trust, users and devices are treated as untrustworthy until proven otherwise, making manual access management close to impossible. Even a large IT organization working around the clock would struggle to keep pace. 

In most cases, automated workflows are the only way to implement CISA's mandate of "just-in-time and just-enough access tailored to individual actions and individual resource needs."

As agencies grapple with security events throughout their systems and cloud

infrastructure, automation of security monitoring and enforcement will be a practical necessity. 

This is reinforced by the five pillars and three cross-cutting capabilities listed in CISA’s ZTMM:

Zero trust pillars 

  1. Identity

  2. Devices

  3. Networks

  4. Applications and Workloads

  5. Data 

Zero trust cross-cutting capabilities 

  1. Visibility and Analytics

  2. Automation and Orchestration

  3. Governance

As agencies transition towards optimal zero trust implementations, associated solutions increasingly rely upon automated processes and systems that more fully integrate across pillars and more dynamically enforce policy decisions.

  • CISA's zero trust maturity model

In the document, CISA also outlines three stages in the journey to ZTMM, each requiring greater levels of protection, detail, and complexity for adoption.

  1. Initial

  2. Advanced

  3. Optimal

Automation appears in the initial stage of the zero trust journey, which means it requires immediate attention and action. 

Automation for zero trust: choosing your approach 

Making security automation work - measurably improving security posture and efficiency without disrupting the daily work of the agency - will require careful tuning, iteration, and sensitivity to business needs. For an automated security system to operate effectively with a mostly hands-off approach, false positives and false negatives must be low.

Successful automation of security responses will require rich data to inform systems for orchestration, as well as permission management. This includes the protected data types and who is accessing the data.

When choosing an approach to automation and orchestration, agencies generally base their decision on their specific needs and goals. Some partner with a low-code solution, others choose SOAR platforms with a heavy code and service overhead, and others still take a do-it-yourself approach to automation.

Things to consider when choosing your approach to automation 

  • Adoption speed - coding comes with a steep learning curve, meaning systems take longer to deploy 

  • Development speed - no-code or low-code workflow automation platforms can help your team build faster than coding 

  • Hosting and maintenance - high-code automation platforms can demand robust hosting infrastructure and extensive maintenance efforts

  • Personnel - no-code automation enables everyone on your team to create, manage, and maintain workflows, not just engineers

  • Scalability - maintaining custom scripts or code, especially as they grow in complexity, poses challenges

  • Security risks - custom code can be an unintended insecure entry point for adversaries

  • Cost - ineffective systems lead to costly incidents, and platforms that aren’t fit for purpose can end up as shelfware

Every agency has different needs and priorities, but the list above highlights some of the key benefits of a no-code and low-code SOAR platform.

The right-fit SOAR platform will be the connective tissue of your zero trust architecture, creating a unified defense strategy by extracting data from disparate tools and orchestrating responses to potential threats. The wrong-fit SOAR platform will gather dust on the shelf. 

SOAR platforms: shelfware or a fast track to zero trust? 

We’ve written previously about how you can’t buy zero trust, and how vendors that promise this should be treated with caution. Your zero trust program must be intentionally designed and tailored for your organization and mission set. 

When it comes to choosing a SOAR, it’s crucial to establish, in as much detail as possible, what you need your platform to do, before considering your options.

The truth is, many SOAR platforms are underutilized because they don’t fulfill the organization’s needs, or there aren’t sufficient resources to support them. The problem of software becoming shelfware is well represented in data - in one study by CSO online, security leaders reported that they only use 72% of the security technologies that they purchase.

This is one of many reasons why federal agencies are moving away from legacy SOAR and towards modern platforms like Tines

Challenges with legacy SOAR 

  • Difficult and time-consuming to learn and deploy

  • Requires engineers to build and manage workflows

  • Long build times - playbooks can take weeks to create when they could take hours

  • Lacking a relentless focus on automation and orchestration - it's often a bolted-on feature in a bigger system e.g. SIEM and TIP platforms

  • Limited ability to connect to internal or external tools without a long wait time or added cost

With this in mind, we’ve drafted a list of questions to use when evaluating SOAR platforms. 

Things to consider when choosing a zero trust SOAR platform 

  • What exactly do we need our SOAR platform to do? Incident response, endpoint management, etc.

  • Is the platform quick to deploy? What’s the onboarding process like?

  • Is it intuitive to use? Can the whole team use it, or does it require engineers to build and maintain workflows?

  • What’s the development speed like? How long will it take for the team to build each workflow?

  • Is it flexible enough to connect to all of our tools, internal and external? 

  • Will it work within our hosting infrastructure?

Providers that supply broad-based, vendor-neutral SOAR… What sets these products apart is their ability to receive inputs from a broad ecosystem of security products, and organize the workflow of the security operations team. […]

Buyers who prefer the best-of-breed approach will find that SOAR still offers more flexibility, genuine vendor-neutrality, and opportunities for non security use cases.

  • Gartner's 2023 Market Guide for Security Orchestration, Automation and Response Solutions

Now, we’ll take a look at how Oak Ridge National Laboratory, a federally-funded research organization, used a no-code, low-code workflow and automation platform to reach their zero trust goals.  

Case study: Oak Ridge National Laboratory 

Oak Ridge National Laboratory (ORNL) faced the complex task of implementing the zero trust framework while managing a rotating security automation team.

They needed:

  • A way to quickly automate a large number of processes that require continuous monitoring and reporting

  • A platform that could connect internal and external systems in their wide and varied tech stack

  • A system that could be easily used and managed by anyone on ORNL’s security team, which includes team members who can’t code, and team members who regularly step out for military training and deployments

  • Increased metric evaluation and reporting capabilities

Pete Wood, Lead Engineer, used a phishing analysis workflow to test several vendors. Tines was the only platform that was able to achieve this in the eight-week timeframe. 

Mike Crider, Cyber Vulnerability Analyst, explained, “It was a game changer during onboarding when we could connect all our systems. We have a lot of tools in our environment. Anything that has a backend API, we’re now using Tines to tie into that tool. Our ability to integrate new tools has taken out so much of our everyday tasks from before.” 

The team now uses Tines for:

  • Organization-wide reporting

  • Curating and combining information across databases

  • Vulnerability management

  • Cyber threat intelligence

  • Endpoint management

  • Firewall rule management

  • Forensics

  • Digital investigations 

  • Incident response

Our zero trust strategy relies heavily on integration and automation. With Tines, we're able to quickly and easily build integrations and automated workflows across our tooling to ensure our zero trust-related processes are repeatable and reliable.

Maria Mcclelland, Chief Information Security Officer, Oak Ridge National Laboratories

Tines for zero trust

Tines: automation and orchestration for zero trust 

Tines stands out from other SOAR solutions because of its intuitive and flexible design. 

Unlike many SOARs, Tines offers a no-code or low-code interface that the whole team can use - there’s no need to wait for a developer to build or edit workflows, and no chance that it will become shelfware. 

The platform’s unique approach to integrations makes it easy to connect to any tool that offers an API. This also makes it adaptable to changes in other technologies. As one customer put it, “No matter how many tools you change, you can keep Tines in place.”

Tines' workflow interface, "storyboard," is both documentation and automation. From action descriptions and annotations to viewer roles, there's little to no need for external documentation. It's all in-line and legible from the storyboard This drives consistency and helps compliance with executive orders, particularly when combined with a next-gen SIEM like Elastic.

Why federal agencies choose Tines 

  • Fast, easy implementation

  • Designed for the whole team to use - anyone can build and manage workflows

  • Integrates with any tool, internal or external, that offers an API 

  • Deployed where you need it - self-hosted, on-prem or hybrid

  • Adaptable to changes in your tech stack

  • Provides the controls you need to reinforce your security posture

  • Documentation capabilities drive consistency and aid compliance

  • Capable of handling massive complexity 

  • Allows teams to still use code when it’s needed 

Tines and zero trust framework 

Tines users can choose from hundreds of pre-built, end-to-end playbook templates that they can import and customize to meet their agency's needs. Let's take a look at some popular use cases and templates for federal agencies pursuing zero trust.

Identity verification

Implement access control policies for multifactor authentication and access controls.

Identity verification

Monitor application access changes in Okta

Monitor Okta logs to identify recent access changes to applications. Easily export reports to CSV for further analysis.



Created by

Michael Tolan

Continuous monitoring

Auto-remediate identity and device verification to reinforce security protocols. 

Continuous monitoring

Discover and monitor unmanaged devices using Axonius

Find unmanaged devices using Axonius and enrich them with information from Shodan.

Access controls

Control access across environments and applications dynamically. 

Access controls

Block suspicious IPs by creating firewall rule groups with CrowdStrike

Create firewall rule groups to block the suspicious or malicious IP addresses submitted and contain devices.

Device verification

Automate device profiling, endpoint security, and threat intelligence in a bring-your-own-device economy. 

Device verification

Investigate & remediate critical container vulnerabilities in Aqua Security Cloud Workload Protection Platform

Automate remediation of all critical container vulnerability alert findings in the Aqua Security Cloud Workload Protection Platform in line with best practices to achieve a more robust security posture around your container environment.

Process automation

Enrich, prioritize, de-duplicate, and auto-respond to alerts and incidents for scaled security response.

Example Story

Implement data loss prevention policies

Respond to DLP alerts if a user makes something on Google Drive public, accidentally or deliberately. This Story will contact the user via Slack, remove the relevant permissions from the file, and make it private again if necessary.

Find 100s more playbook templates in the Tines library.

The quickest path to zero trust 

Federal agencies are at a critical junction in the journey towards zero trust, but, the right workflow automation platform can help them get there faster, and with fewer resources. 

In Tines, agencies will find a valuable partner, a new kind of SOAR platform that not only aids compliance but reduces bottlenecks. 

Built by you, powered by Tines

Talk to one of our experts to learn the unique ways your business can leverage Tines.