Security

NASA Flies Down the Road to Zero-Trust Security

The space agency is taking multiple paths toward enhancing its cybersecurity.

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

NASA has been signaling for months that it intends to adopt a zero-trust architecture for its cybersecurity. Now, the agency is starting to explain why it is doing so, and how. A zero-trust approach will help it enhance its security posture.

Speaking late last month during an American Council for Technology and Industry Advisory Council webinar, Mike Witt, associate CIO for cybersecurity and privacy at NASA, explained how NASA has embraced automation as part of its cybersecurity response. The shift to telework as a result of the coronavirus pandemic is also accelerating its embrace of zero trust, which will be a multiyear process.

“We’ve got to get away from the mindset of ‘you can account for every alert.’ You’ve got to embrace orchestration and [security orchestration, automation, and response] technologies — artificial intelligence, machine learning. You have to embrace this,” Witt said, according to GCN. “You have to take advantage of playbooks and push your teams to basically do a lot of these automated responses so that you can focus your limited analyst power … on some of the more interesting things.”

NASA Sees Multiple Avenues to Enhance Security

There are several ways that NASA is shifting toward a zero-trust model beyond simply automating some aspects of its cybersecurity response.

As the National Institute of Standards and Technology notes in its zero-trust architecture guidance, which was finalized in August, zero trust is not one set of technologies. It is rather an “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

A zero-trust architecture uses zero-trust principles to plan enterprise infrastructure and workflows, according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” NIST notes.

One of the ways NASA is embracing zero trust is through the updated Trusted Internet Connections 3.0 policy from the Department of Homeland Security. The updated guidance has helped NASA protect data beaming down from its satellites. “The amount of data that we are bringing down from satellites is staggering now, and so we actually ran into … a problem,” Witt said during the webinar, according to FedScoop.

NASA worked with DHS to develop a model to bring data from satellites into a secure cloud to make it easier for researchers to access the data.

NASA is also using machine-learning technology to analyze its system log files to detect anomalous behavior. The space agency is also partnering with the Defense Department and the intelligence community on “red teaming” exercises to spot vulnerabilities in its network before malicious actors do, Witt said, according FedScoop. NASA has also shrunk its “significant” system footprint down to a third of where it was three years ago. “We’re probably still not where we need to be,” Witt said.

How Will Zero Trust Play Out in Government?

How much will agencies invest in technologies and the kind of IT security integrations that would enable them to move to a zero-trust model?

Laura Criste, a Bloomberg Government federal market analyst, tells Federal News Network that the federal government “has a lot of the technologies that would go into zero trust, like continuous diagnostics and mitigation.” She says that CDM technologies, which are still not fully implemented across the government, will be critical to getting to zero trust.

“So even though they have the technologies, they need to integrate them, they need to use them in a way that implements the zero trust framework,” she says. “And then they’ll probably still need some technology. I wouldn’t expect that they have every single piece that they need.”

Criste expects that agencies will “buy some more modern technologies and replace some of those legacy systems. And then they’ll need contractors that can help integrate those systems, and who are experts in those different types of technologies.”

CCicalese (WMF)/Wikimedia Commons