Jun 21 2021

What Elements Are Needed to Make Zero Trust a Reality?

Agencies should focus on protecting users, devices, applications and networks.

For the federal government, moving to a zero-trust architecture for cybersecurity is no longer an option — it’s a mandate.

President Joe Biden’s May 12 executive order on cybersecurity requires that by mid-July, agency heads develop a plan to implement a zero-trust architecture, incorporating, as appropriate, the migration steps that the National Institute of Standards and Technology has laid out. Agency heads need to describe the steps already completed to move to zero trust, identify activities that will have the most immediate security impact and include a schedule to implement them.

But how can agencies practically deploy zero trust? And what are the necessary elements?

In a recent CDW Tech Talk, Allen Schmidt, a security solution architect at CDW, noted that zero trust “is basically the concept of treating everything on the inside of the network as just as untrusted as everything on the outside of the network.” However, agencies and other organizations can’t distrust everything, otherwise productivity would grind to a halt.

“The idea is to gain confidence in your environment,” he said. “If you can gain confidence in four basic areas — users, devices, applications and networks — then you’re really kind of approaching things in a zero-trust way, or you’re building the controls that will help you to do that.”

Defining Zero-Trust Security

The executive order says that agencies’ continued migration to cloud technology should adopt a zero-trust architecture, “as practicable.” It also says that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency “shall modernize its current cybersecurity programs, services and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture.”

The order goes to great lengths to spell out what exactly the administration means by zero trust. It acknowledges, as is widely understood in industry, that zero trust is not a single security technology, but instead “a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

A zero-trust architecture at an agency “eliminates implicit trust in any one element, node or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”

“In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs,” the order continues. “If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”

The Practicalities of Deploying a Zero-Trust Architecture

There are many different technology elements of a zero-trust architecture, according to the order. Such an approach “embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment.”

Zero-trust is a “data-centric security model” that follows the “concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.”

What does that mean in practical terms for agency IT security teams? Schmidt, during the Tech Talk, said that it’s “critical to be able to identify and be certain of the users that are trying to connect to your data.”

Multifactor authentication, which the executive order requires agencies to adopt uniformly for data at rest and in transit by early November, can help in this regard, Schmidt said, as can single sign-on technology.

Another aspect of zero trust is user context, Schmidt noted, and having the IT security system look for anomalous behavior, such as whether someone is logging on in the middle of the night or from a different location, before granting them access.

In terms of protecting devices, Schmidt argued for the deployment of next-generation endpoint protection tools since “the endpoint really is the battlefield” in cybersecurity.

DIVE DEEPER: How are feds thinking about zero-trust security?

Another element of device security is a posture assessment. “You can check an endpoint and say, do you have the appropriate patches? Is your next-gen endpoint installed and actively running?” Schmidt said. “But it’s not just computers and tablets and things that are on the network; there are non-user-based machines — IP phones, video surveillance cameras, printers. Profiling can help you identify those dynamically and give them an appropriate level of access.”

What that boils down to is enterprise device management. “If you can control the policy on that endpoint, you’re going to have greater confidence,” Schmidt added.

For protecting applications and the data they hold, Schmidt noted that this must be done for on-premises apps and apps in the cloud. Malware typically enters IT environments via proxies, such as email and the web, he said. He argued in favor of both Domain Name System security solutions and cloud access security brokers to catch malware.

“What we’re really talking about is least privilege, trying to identify how much access users and assets require and then controlling to give them just that amount,” Schmidt said. “As they use that, we get into things like user behavior analytics, or user and endpoint behavior analytics. If you can set a baseline to identify what’s normal, then you can identify if they do something anomalous. Then, you can kind of figure out how the users are behaving and which ones that are not behaving, and then take action on that.”

For network security, zero trust revolves around software-defined networking. “If you can make the network restructure itself based on the user’s identity and the data they need to get through, that’s great,” Schmidt said. “But that’s not always possible in most networks. So, you look at things like next-gen firewalls.”

However, because firewalls can’t be placed everywhere, telemetry and analytics are critical, Schmidt said. These tools allow IT security analysts to “watch the network and use the network as a sensor.”

“You can tell if somebody becomes compromised and then starts trying to get to their neighbors. That wouldn’t have crossed the firewall, but you’ll see that with that telemetry,” he said.

Quardia/Getty Images