“Trust, but verify,” says the old Russian proverb made famous by Ronald Reagan. When it comes to cybersecurity in the modern era — one marked by nation-state actors peppering U.S. networks with attacks — the federal government is relying only on verification.
The resulting zero-trust architecture means exactly that: Nothing is trusted inside or outside the network. Entry requires strict access controls, user authentication and continuous monitoring of networks and systems, among many elements. Users and devices that request access to resources are continually authenticated.
FedTech spoke with agency leaders and security experts — Gerald Caron, director of enterprise network management at the State Department; Chase Cunningham, vice president and principal analyst at Forrester Research; Michael Howell, senior director for government initiatives at the American Council for Technology and Industry Advisory Council; and Scott Rose, a computer scientist at the National Institute of Standards and Technology and co-author of the Zero Trust Architecture (NIST Special Publication 800-207) — about the benefits zero trust brings, the technologies involved and the progress made so far.
FEDTECH: How does zero-trust architecture improve upon current cybersecurity measures?
Howell: It’s a fundamental change in concept and approach. Historically, most federal agencies have used the castle-moat approach, perimeter-based cybersecurity. You have firewalls protecting what is inside the firewall from all the bad actors outside. That no longer works. The reasons are cloud and mobile computing. There is essentially no perimeter anymore. The perimeter is the world.
Secondly, historically, if I allow you into my network or if you break into my network without approval, you have access to everything. What zero trust brings is a lot more interior segmentation. It’s finer grain control about where people can go, what machines they can get to, what data they can access and what they are allowed to do with it. If someone gets into your castle, they can only go into one room. They can’t roam the whole castle. It’s changing the default from “allow all” to “allow none.” Zero trust requires a proactive authorization to access and to do anything inside the systems.
Caron: Zero trust puts the focus on what you really are protecting, which is the data. Right now, we do this peanut butter spread approach, where we try to protect everything equally. That’s very compliance-focused and resource-intensive, but compliance doesn’t equal effectiveness. With zero trust, protecting the crown jewels is the most important thing. You are going to put the protections closer to the data and constantly assess risk.
READ MORE: Find out how the military branches are using zero trust.
FEDTECH: How is it different from standard endpoint security measures?
Cunningham: Legacy anti-virus has not proved effective. Therefore, zero trust approaches it from a different side, using application whitelisting and ring-fencing, among other things. There is a different way to prevent an endpoint from causing an infection at scale. We take the position that you are going to have an infection at an endpoint sooner or later. What we don’t want is for that endpoint infection to infect an entire network. Zero trust is focused on that very issue.
Howell: Endpoint security is still important. Patching, configuring, monitoring — all those things are still essential to a robust security program. Zero trust does not replace that. It builds on those foundations.
Rose: Zero trust takes endpoint security into account, but also adds the subject performing the action — the user or application –— and the current operating environment, such as the network and geographic location, time and previous access patterns. All of these factors are used when evaluating access requests to an enterprise resource.
DOWNLOAD: Read this white paper to explore how next-generation endpoint security solutions can help your agency.
FEDTECH: What technology is needed to implement this architecture?
Rose: It depends on workflows, goals and architecture of the enterprise. In broad strokes, an organization needs tools to provide identity governance, asset management and security, and security monitoring.
The percentage of North American organizations implementing zero-trust projects
Source: 1Okta, “The State of Zero Trust Security in Global Organizations,” September 2020
Cunningham: It takes a lot of technology to get to zero trust. We remind folks that this is a long journey. There’s no easy button. It could be anything from software-defined networking, software-defined perimeter, identity access management and endpoint security. It’s a whole suite of solutions needed to do zero trust at scale.
Caron: A number of solutions — like network access control, database management and protection, and enclaving, such as using VLANs to segment the network off — can contribute to zero trust. Log collection and monitoring are also important because you have to dynamically assess what’s going on and the ability to trigger action when needed. It’s an integration effort. Some of the tools people already have may be leveraged.
Howell: Essential to the zero-trust concept is something called the trust engine. It’s an algorithmic approach that says of all the factors I’ve got, I can calculate a score — the cumulative risk of something that I don’t want to happen in my environment. For any transaction, if your score falls below the threshold you’ve set as an acceptable risk, that transaction is blocked.
There are a lot of technical solutions. The pieces are out there. The market is evolving. There are a lot of mergers, acquisitions and partnering going on where they are connecting and integrating these different component parts into a coherent, holistic solution.
READ MORE: How are agencies approaching cybersecurity automation?
FEDTECH: What challenges does an agency face in implementing zero trust?
Caron: The big thing for government is culture change. The peanut butter spread approach is toward compliance with FISMA, FITARA and how we do our Authorities to Operate, whereas the zero-trust approach is trying to be effective at protecting the things that are most important.
Cunningham: Usually, the most significant challenge they face is definitive leadership that says, “This is where we are going. I have a plan and understand how to leverage technology to get toward that, and we will start marching forward.” It could be the head of the agency, but it typically starts around the CIO/CISO level.
The percentage of federal agencies that say a zero-trust architecture is important
Source: FedScoop and Duo Security, “Survey Without Perimeters: Government’s Shift to Identity-Centered Access,” November 2019
Rose: Agencies need to have a deep understanding of their workflows and mission. Being able to identify and manage the users, devices and resources used by the enterprise is the foundational work needed for a zero-trust architecture.
FEDTECH: What type of agency is best suited to use this method?
Rose: Any agency can migrate to a zero-trust architecture. The core principles are infrastructure agnostic and can apply to on-premises as well as cloud or remote resources.
Howell: Some of the smaller agencies that have less complex environments have been able to move out a little faster just because they can be more agile. The flip side of that, though, is smaller agencies typically don’t have the resources to cover the span of work needed to implement zero trust.
MORE FROM FEDTECH: Find out how SIEM tools enhance federal cybersecurity.
FEDTECH: What still needs to be developed or understood for this to become more common?
Rose: Zero trust differs from previous cybersecurity principles in that the focus is on the workflow and not the individual systems that make up the workflow. Security policy should be created with input from the IT security team, workflow owners and resource owners.
In the past, security policies were created in a vacuum by picking a system and generating what was thought to be good security. Like calling out a database, then writing policy on how to secure that database. In the past few years, with zero trust, enterprises have been urged to consider what the database is used for, and were expected to tailor security policy around how the database is used. An employee database should be considered more sensitive than a database that tracks temperatures in a building. The former should probably be restricted to certain HR employees, while the other might only be used by building maintenance people.
FEDTECH: Does zero trust make any current cybersecurity measures unnecessary?
Howell: No. It’s a valuable and effective addition to all the cyber things you have now. You don’t stop good cyber hygiene, good patching and good monitoring. You add it on top. It’s an addition.
Cunningham: For organizations that have gone the furthest down the road, you come to a point where things that don’t yield a benefit kind of age out. Not everything is of value, so if it’s not valuable, get rid of it and focus on what is. For example, if you focus on software-defined perimeter security, it eliminates the need for VPNs. The use of biometrics for single sign-on and multifactor authentication can eliminate issues around passwords.
MORE FROM FEDTECH: Find out how to enhance mobile endpoint security as users telework.
FEDTECH: How much of the talk around zero trust is aspirational and how much work is actually being done to implement it?
Rose: We have heard of several agencies that are planning to deploy changes to their existing architecture that are in line with zero trust principles. Some are pilot programs or looking at how they can manage remote workers and mobile devices in a more zero trust–oriented architecture.
Cunningham: Everyone I talk to is working to implement it in some manner. It’s going to take time. I’ve seen some organizations pivot quickly and do this in a couple of years. There are some organizations I work with at a high level that say this is a 10-year journey for them.
Caron: Some of what I want to accomplish might be aspirational. Doing that dynamic real-time risk assessment will be challenging. But there are a lot of things that can be accomplished. I look at it as a multiyear program. It depends what you have in place today because you may be able to leverage a lot of existing technology, so some agencies are going to be quicker than others. It depends on risk tolerance, how big your data stores are and how much is high-value data versus low-value data.
FEDTECH: What are your plans for zero trust?
Caron: We are talking about zero trust, but it’s not a formal program yet at the State Department. There is a lot of evangelizing. I am looking at working with a partner that’s doing system modernization. We are talking about doing a proof of concept.
On an enterprise level, we have projects on identity management, privileged account management and network access control. There’s definitely some good things going on already that contribute to an overall zero-trust strategy. An agency our size has a lot of different people doing different things. At the end of the day, we have to make sure the bridge meets in the middle.