What Is Zero-Trust Cybersecurity?
In February, the National Institute of Standards and Technology released a second draft special publication for public comment on zero trust. “A single enterprise may operate several internal networks, remote offices with their own local infrastructure, remote and/or mobile individuals, and cloud services,” the NIST publication says. “This complexity has outstripped traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise. Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.”
The special publication is designed to give federal IT leaders a “conceptual framework” using vendor-neutral terms, Scott Rose, a computer scientist at NIST, said in January at Duo Security’s Zero Trust Security Summit, presented by FedScoop.
“It’s where the emphasis of zero-trust implementations lie — whether identity or the actual micro-segmentation or the underlying network itself,” Rose told FedScoop after his panel. “Every good solution has elements of all three, it’s just: What is the key turning point for the organization?”
As NIST notes, zero trust refers to an “evolving set of network security paradigms that narrows defenses from wide network perimeters to individual resources.”
A zero-trust architecture uses zero-trust principles to plan enterprise infrastructure and workflows, according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” NIST says. “Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established.” The NIST publication gives general deployment models and use cases where zero trust could improve an enterprise’s overall cybersecurity posture.
How Agencies Are Shifting to Zero Trust
According to the survey, 50 percent of government respondents said their agencies have strategies to meet the Office of Management and Budget’s Federal Identity and Access Management (FICAM) policy requirements.
The further along agencies are to realizing a FICAM strategy, “the more advanced they are in consolidating identity and access controls to agency resources,” according to the survey.
However, between 41 and 48 percent of respondents are still in the early stages of taking inventory of the people and/or devices accessing their organizations’ networks.
The survey found that federal IT leaders are moving toward a passwordless user experience, with a little more than half planning to do so within the next two years. Respondents ranked multifactor one-time passwords (33 percent), randomly chosen passwords/PINs (22 percent) and out-of-band authenticators (20 percent) as the top three types of MFA their agencies will increase investment in over the next two years.
If agencies want to move to a zero-trust environment, they will need to adopt a combination of capabilities, the survey notes. Those include the ability to determine which systems and devices are owned or managed by the enterprise and which are not; making all communication to agency resources secure regardless of whether it’s from inside or outside the network perimeter; and ensuring access to individual enterprise resources is granted on a per-connection basis.
Nearly half or more of respondents said their agencies had minimal to average capabilities in determining which devices are owned by the enterprise and which are not and whether communications and individual connections are secure.