How to Effectively Implement Zero Trust Security

Moving toward zero trust is a major cybersecurity investment, but it can be done in an incremental way.

Following the hacks of the Office of Personnel Management, cybersecurity started to shift in a major way as it moved away from signature-based defenses and toward behavior-based security. Today, that is not enough to counter the sophisticated threats facing government agencies, including from nation-state actors and large-scale cybercriminal networks. 

Federal cybersecurity is shifting again, toward a zero trust architecture (ZTA) model, which promises a major security upgrade. It should be noted up front that moving to ZTA is a major undertaking and zero-trust security cannot be achieved overnight

However, zero trust has the potential to significantly improve agencies’ cybersecurity posture. The National Institute of Standards and Technology recently released a draft report on ZTA that provides a general “roadmap for organizations wishing to migrate to a ZTA-centered network infrastructure and discusses relevant federal policies that may impact or influence a zero trust architecture.”

Zero trust security focuses on perimeter security and on how users gain access to networks and systems and how they are treated once they are inside an agency’s IT perimeter

While pilot programs conducting federal adoption of zero trust cybersecurity are limited, agencies are considering those aspirational models to strengthen their defenses. 

What Is Zero Trust Cybersecurity?

Zero trust, the NIST report notes, is “primarily focused on data protection but can be expanded to include all enterprise assets.” 

“ZTA assumes the network is hostile and that an enterprise-owned network infrastructure is no different — or no more secure — than any non-enterprise owned network,” the report says. “In this new paradigm, an enterprise must continuously analyze and evaluate the risks to their internal assets and business functions and then enact protections to mitigate these risks.” 

Zero trust involves limiting access to resources to “only those who are validated as needing access and continuously authenticating the identity and security posture of each access request.”

Zero trust is not a single network architecture or technology, but “a set of guiding principles in network infrastructure, design and operation that can be used to improve the security posture of any classification or sensitivity level,” the report says. 

The NIST report notes that many agencies already have elements of zero trust in their enterprises. NIST recommends that agencies incrementally implement zero trust principles, process changes and technology solutions that protect their data assets and business functions. 

MORE FROM FEDTECH: Find out how the NIST Risk Management Framework helps boost agencies’ cybersecurity. 

The Elements of a Zero Trust Architecture

There are numerous elements of a ZTA, the NIST reports notes, including a policy engine to decide whether to grant access to a resource for a given client or subject, a policy administrator to connect a user and a resource, and a policy enforcement point to enable, monitor and eventually terminate the connection between a user and a resource. 

There are many elements the policy engine needs to take into account, including Continuous Diagnostics and Mitigation systems, federal compliance adherence, threat intelligence feeds, data governance, and enterprise public key infrastructure among others.

All of these components are integral to achieving ZTA, the NIST report notes, and do not necessarily need to be unique systems. “A single system may perform the duties of multiple logical components, and likewise, a logical component may consist of multiple hardware or software elements to perform the tasks,” the report says.

One of the many pillars of a ZTA is network security. While zero trust networks do have perimeters, the model attempts to shift the focus away from just the perimeter and examine all network aspects. Then, policies such as micro-segmentation and privileged access management are implemented to follow the data and the personnel who has access to it.

Some agencies are already moving in this direction. The Defense Information Systems Agency is working with the U.S. Cyber Command to launch a zero trust pilot

“Zero trust is the architecture or framework that we are building out for overall continued access and authentication mechanisms across the network and at all layers of the network,” Jason Martin, the vice director of the Development and Business Center at DISA said in September, according to Federal News Network. 

To do that, Martin noted, agencies must create a “foundational identity credentialing, access and authorizations solution.” 

“We are leveraging existing capabilities while in turn building out things like master user records and automated provisioning that we will set with policy and push out using our third component, a global policy orchestrator,” he says. 

Most agencies will operate in a hybrid mode between zero trust and legacy cybersecurity systems while they continue to invest in ongoing IT modernization initiatives and improve their business processes, NIST says.

Zero trust will require a lot of investment, and agencies won’t get there overnight, but the benefits of moving in that direction are well worth it.

This article is part of FedTech's CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

matejmo/Getty Images
Oct 18 2019

Sponsors