The Practicalities of Deploying a Zero-Trust Architecture
There are many different technology elements of a zero-trust architecture, according to the order. Such an approach “embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment.”
Zero-trust is a “data-centric security model” that follows the “concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.”
What does that mean in practical terms for agency IT security teams? Schmidt, during the Tech Talk, said that it’s “critical to be able to identify and be certain of the users that are trying to connect to your data.”
Multifactor authentication, which the executive order requires agencies to adopt uniformly for data at rest and in transit by early November, can help in this regard, Schmidt said, as can single sign-on technology.
Another aspect of zero trust is user context, Schmidt noted, and having the IT security system look for anomalous behavior, such as whether someone is logging on in the middle of the night or from a different location, before granting them access.
In terms of protecting devices, Schmidt argued for the deployment of next-generation endpoint protection tools since “the endpoint really is the battlefield” in cybersecurity.
DIVE DEEPER: How are feds thinking about zero-trust security?
Another element of device security is a posture assessment. “You can check an endpoint and say, do you have the appropriate patches? Is your next-gen endpoint installed and actively running?” Schmidt said. “But it’s not just computers and tablets and things that are on the network; there are non-user-based machines — IP phones, video surveillance cameras, printers. Profiling can help you identify those dynamically and give them an appropriate level of access.”
What that boils down to is enterprise device management. “If you can control the policy on that endpoint, you’re going to have greater confidence,” Schmidt added.
For protecting applications and the data they hold, Schmidt noted that this must be done for on-premises apps and apps in the cloud. Malware typically enters IT environments via proxies, such as email and the web, he said. He argued in favor of both Domain Name System security solutions and cloud access security brokers to catch malware.
“What we’re really talking about is least privilege, trying to identify how much access users and assets require and then controlling to give them just that amount,” Schmidt said. “As they use that, we get into things like user behavior analytics, or user and endpoint behavior analytics. If you can set a baseline to identify what’s normal, then you can identify if they do something anomalous. Then, you can kind of figure out how the users are behaving and which ones that are not behaving, and then take action on that.”
For network security, zero trust revolves around software-defined networking. “If you can make the network restructure itself based on the user’s identity and the data they need to get through, that’s great,” Schmidt said. “But that’s not always possible in most networks. So, you look at things like next-gen firewalls.”
However, because firewalls can’t be placed everywhere, telemetry and analytics are critical, Schmidt said. These tools allow IT security analysts to “watch the network and use the network as a sensor.”
“You can tell if somebody becomes compromised and then starts trying to get to their neighbors. That wouldn’t have crossed the firewall, but you’ll see that with that telemetry,” he said.