NASA Sees Multiple Avenues to Enhance Security
There are several ways that NASA is shifting toward a zero-trust model beyond simply automating some aspects of its cybersecurity response.
As the National Institute of Standards and Technology notes in its zero-trust architecture guidance, which was finalized in August, zero trust is not one set of technologies. It is rather an “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”
A zero-trust architecture uses zero-trust principles to plan enterprise infrastructure and workflows, according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” NIST notes.
One of the ways NASA is embracing zero trust is through the updated Trusted Internet Connections 3.0 policy from the Department of Homeland Security. The updated guidance has helped NASA protect data beaming down from its satellites. “The amount of data that we are bringing down from satellites is staggering now, and so we actually ran into … a problem,” Witt said during the webinar, according to FedScoop.
NASA worked with DHS to develop a model to bring data from satellites into a secure cloud to make it easier for researchers to access the data.
NASA is also using machine-learning technology to analyze its system log files to detect anomalous behavior. The space agency is also partnering with the Defense Department and the intelligence community on “red teaming” exercises to spot vulnerabilities in its network before malicious actors do, Witt said, according FedScoop. NASA has also shrunk its “significant” system footprint down to a third of where it was three years ago. “We’re probably still not where we need to be,” Witt said.
READ MORE: Find out how to enhance mobile endpoint security as users telework.
How Will Zero Trust Play Out in Government?
How much will agencies invest in technologies and the kind of IT security integrations that would enable them to move to a zero-trust model?
Laura Criste, a Bloomberg Government federal market analyst, tells Federal News Network that the federal government “has a lot of the technologies that would go into zero trust, like continuous diagnostics and mitigation.” She says that CDM technologies, which are still not fully implemented across the government, will be critical to getting to zero trust.
“So even though they have the technologies, they need to integrate them, they need to use them in a way that implements the zero trust framework,” she says. “And then they’ll probably still need some technology. I wouldn’t expect that they have every single piece that they need.”
Criste expects that agencies will “buy some more modern technologies and replace some of those legacy systems. And then they’ll need contractors that can help integrate those systems, and who are experts in those different types of technologies.”