Jul 09 2020

The Fundamentals of Zero-Trust Security for Government

As agencies embrace the zero-trust model for cybersecurity, here is what they need to know to get started.

A growing number of federal agencies have grown more receptive to adopting a zero-trust architecture approach to their cybersecurity. 

In March, Chase Cunningham, a Forrester Research vice president and principal analyst serving security and risk professionals, identified “44 federal agencies that have dedicated, line item funded tiger teams to go off and either research or start implementing zero trust strategically,” according to Federal News Network. That was up from 10 to 12 agencies having conversations on zero trust a year before. 

And in recent months, agencies from the Defense Department to the Education Department and the Small Business Administration have indicated their willingness to move forward on zero trust. 

However, as more agencies do so, it is important to note that zero trust is not a single technology that an agency can purchase, like a hyperconverged infrastructure appliance. Indeed, in January, Steve Wallace, head of the Defense Information Systems Agency's new Emerging Technology Directorate, joked about buying a “box of Zero Trust,” jabbing at vendors that are promoting zero trust as a solution that can be bought, Breaking Defense reports.

Zero trust is instead a model that “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” the National Institute of Standards and Technology notes. However, there are some fundamental building blocks that agencies should be putting in place as they shift to a zero-trust model. 

How to Get Started on Zero-Trust Security

Agencies are becoming more interested in zero trust because users are accessing applications and data outside of traditional network perimeters, in clouds and on home networks. As a result, agency IT security chiefs are looking to bring protections to wherever applications, workloads, users and devices might be, Jim Kotantoulas, a technical solutions architect at Cisco Security, writes in a Cisco blog post

Zero trust assumes that an organization’s network is always a hostile environment and that both external and internal threats exist at all times. 

“Zero Trust mandates a ‘never trust, always verify, enforce least privilege’ approach, granting least privilege access based on a dynamic evaluation of the trustworthiness of users and their devices, and any transaction risk, before they are allowed to connect to network resources,” Kotantoulas writes. This is the trust-centric model and the foundation of zero trust security, he adds. 

Cisco’s approach to zero trust lays out six critical steps an agency or other enterprise needs to take to adopt a zero-trust architecture, according to Kotantoulas. 

The first is to establish trust levels for users and user devices. This is why identity management and authentication are central to zero trust, which enables more granular control related to access in an organization’s environment. The second, related step is to establish trust levels for Internet of Things devices and/or for data workloads.

Then, in the next two steps, agencies need to establish software-defined perimeters to control both access to applications and networks, via application access and segmentation/microsegmentation, respectively. 

According to a white paper from the Cloud Security Alliance, a software-defined perimeter updates the traditional perimeter-based approach to security and gives “application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to ‘outsiders,’ but can be deployed anywhere — on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations.”

READ MORE: Find out how agencies can shift away from perimeter-based defenses.

Software-defined perimeters aim to give application owners the ability to set up perimeter functionality where needed, the Cloud Security Alliance notes, and “provide access to application infrastructure only after device attestation and identity verification.” 

The fifth and sixth steps involve automating adaptive security policies. First, agencies need to automate adaptive policy that normalizes policy in the network, data center and cloud. Then, agencies need to automate adaptive policy using threat response, in which the trust level adapts to the level of the threat. 

Shifting from a trusted perimeter model to a zero-trust model “means that static security policies that are already in place are now obsolete,” Kotantoulas writes, adding that cybersecurity “now needs to evaluate, adapt and deploy new security policies that address threats in an ever changing and dynamic environment.”

That means agency IT security policies “now need to be dynamic and calculated from as many sources of data as possible. All network activity must be visible, understood, continuously inspected and logged. Any indications of compromise or variations in behavior changes of their apps, users and devices must be investigated, validated and responded to immediately.” 

This constitutes a threat-centric model within zero trust. 

Both the trust-centric and threat-centric models “should be equally considered” when building zero trust networks, Kotantoulas writes. “And both should span across all aspects of the network, protecting the workforce, the workloads and the workspace.”

gorodenkoff/Getty Images