Cybersecurity is a perennial concern inside federal agencies, but the conversation is starting to evolve.
In the past, perimeter-based IT security defenses were a major area of investment — keeping malicious actors out of networks and away from sensitive data. Increasingly, the cybersecurity landscape is shifting to a focus on identity and access management, data security and a relatively new model known as zero-trust security.
Although federal adoption of zero-trust cybersecurity is extremely limited and pilots are just beginning, agencies are looking to the model as an aspiration and something they want to consider as they move to strengthen their defenses.
In April, the American Council for Technology–Industry Advisory Council (ACT-IAC), at the direction of the federal CIO Council, released a zero-trust white paper that explores the current state of zero-trust technology and commercial adoption, as well as the benefits of the model, its suitability for use in government and how to deploy it.
Zero trust is based on the idea that organizations “need to proactively control all interactions between people, data, and information systems to reduce security risks to acceptable levels.”
What Is a Zero-Trust Security Model?
Zero-trust security focuses not merely on perimeter security but also on how users gain access to networks and systems and how they are treated once they are inside an agency’s IT perimeter.
As Cisco Systems company Duo Security notes on its website, zero trust means that organizations “should not trust anything inside or outside of their network perimeters and should instead verify anything and everything that tries to connect to applications and systems before granting them access.”
Essentially, no user or traffic is more trustworthy by default than any other user or bit of traffic coming from outside the organization. Agencies set the terms for how and when to trust a user or application and give it access.
As Amanda Rogerson, a product marketing manager for Duo Security, notes in a blog post, the concept was developed in the early 2000s by a security group known as the Jericho Forum, first introduced by John Kindervag in 2009. That work served as the basis for Google’s BeyondCorp, which offered an “implementation of a zero-trust architecture that requires securely identifying the user and device, removing trust from the network, externalizing apps and workflow, and implementing inventory-based access controls.”
As organizations shift more apps to the cloud and users become more mobile, it is increasingly difficult for enterprises and agencies to have visibility and control over users and devices, Rogerson notes.
A blog post from Palo Alto Networks states that organizations “must identify the traffic and data flow that maps to your business flows, and then have the visibility to the application, the user and the flows.”
Another key element of zero-trust security is to “adopt a least-privileged access strategy and strictly enforce access control,” which “can significantly reduce the pathways for attackers and malware,” according to the blog post.
Agencies also must inspect and log all traffic. “To effectively do this, identify the appropriate junctions for inspection and build in the inspection points,” Palo Alto states.
What Is Microsegmentation Networking?
One of the pillars of zero-trust security is network security. While zero-trust networks do have perimeters, the model attempts to shift the perimeter away from the network edge and toward the actual data. Then, that data is segmented and isolated from other data, according to the ACT-IAC white paper.
“It is critical to (a) control privileged network access, (b) manage internal and external data flows, (c) prevent lateral movement in the network, and (d) have visibility to make dynamic policy and trust decision on network and data traffic,” the white paper states. “The ability to segment, isolate, and control the network continues to be a pivotal point of security and essential for a Zero Trust Network.”
Microsegmentation allows agency security teams to put in place granular data security policies. These can be “assigned to data center applications, down to the workload level as well as devices,” according to the white paper.
“This means that security policies can be synchronized with a virtual network, virtual machine, operating system or other virtual security targets,” the white paper adds.
For zero trust to be successful, organizations must “segregate systems and devices according to the types of access they allow and the categories of information that they process,” Pavel Trinos, a security field solution architect at CDW, writes in a blog post. “These network segments can then serve as the trust boundaries that allow other security controls to enforce the zero trust philosophy.”
Microsegmentation can help guard against lateral movement in the network. The technique “dissociates segmentation security policy by IP address, and instead associates defined-access policy by that authorized user and app,” the white paper adds.
How Do Software-Defined Perimeters Relate to Zero-Trust Security?
Another tool that zero-trust security enables is a software-defined perimeter. “With SDP, users, regardless of whether they are inside or outside the network, connect directly to resources, whether they reside in the cloud, in the data center, or on the internet; all without connecting to the corporate network,” the ACT-IAC white paper states.
Each user’s network traffic becomes encased in a secure perimeter. This is especially useful as more agencies adopt mobile technologies and users connect to networks that are not owned and operated by the government.
“Users (or an SDP host) cannot initiate or accept communication with another SDP host until after connecting to an SDP Controller that authorizes the transaction,” according to the white paper.
The SDP Controller obviates the need for Domain Name Server information and port visibility to the outside world, which then effectively cloaks the network to outside users.
Software-defined perimeters create a protective casing around critical apps and data access, which enhances an agency’s cybersecurity.
“For example, existing attacks such as credential theft and server exploitation are blocked dynamically as these technologies only allow access from devices registered to authenticated users, which is a key Zero Trust element,” the white paper states.
How Can Zero-Trust Models Enhance Federal Cybersecurity?
A positive for agencies looking to deploy zero-trust security is that it does not require a major acquisition of new technologies. Instead, zero trust can augment and build upon technologies that agencies likely have in place already, according to ACT-IAC.
Those include “identity, credential and access management (ICAM); access standards based on trust algorithms; automated policy decisions; and continuous monitoring,” which are all critical elements of zero trust.
Agencies can also roll out zero trust at their own pace and scale, as determined by their risk level. The most successful zero-trust solutions “should layer on top of existing infrastructures and be convenient and easy for user populations to adopt without an impact to their current workflows,” Rogerson notes.
“A zero-trust approach for the workforce should provide an organization the tools to be able to evaluate and make access decisions based on specific risk-based context for any application within an environment,” she adds. “This can even mean layering security controls on top of existing remote access solutions that are in place today.”
Zero trust, the ACT-IAC white paper notes, offers a “consistent security strategy of users accessing data that resides anywhere, from anywhere, in any way”; assumes a “never trust and always verify” approach; demands continuous authorization, no matter where a request for access comes from; and boosts “visibility and analytics across the network.”
The Defense Information Systems Agency, the Pentagon’s IT arm, is creating a lab to test zero-trust network architecture and will serve as the hub for a zero-trust pilot program between DISA and U.S. Cyber Command, Jason Martin, acting director of DISA’s cyber directorate, reports Nextgov.
Speaking at the FCW Cybersecurity Summit earlier this month, Martin said that the lab will focus on identity and access management for military networks and will also work with the intelligence community. The tests will inform how DISA will move forward on zero trust and will allow the agency to rethink “how we do continuous security,” Martin said.
According to Martin, the program will focus on three key areas: creating a framework for continuously monitoring and checking access on different layers of the network, building out tools to manage identity and access, and pushing out those solutions across the Pentagon. Based on the findings, he said, the Pentagon will likely both adapt existing policies and tools to improve security, and acquire new tech to deploy across the enterprise.