Security

3 Steps to Take When Moving Away from Network-Centric Architecture

As they adopt zero-trust architectures, federal agencies should inspect encrypted traffic, shift traffic to encrypted Domain Name Systems and make applications internet accessible.

Danny Connelly

Danny Connelly is the CISO for Americas at Zscaler. He has 20 years of cybersecurity experience, split between offensive computing as an ethical hacker and defending some of our most important networks used in COVID-19 response. As a highly regarded thought leader and trusted cybersecurity adviser, he has provided guidance and formulated strategies to combat emerging threats for various agencies across the federal government.

Zero trust became official government policy with the Biden administration’s May 2021 executive order on cybersecurity. It requires every agency to “develop a plan to implement Zero Trust Architecture.” This year, agencies are working toward putting this vision into action, spurred by continued and growing cyberthreats to federal systems.

By now, every agency should have a zero-trust implementation lead and should have updated their zero-trust plans, incorporating the additional requirements identified in the Office of Management and Budget’s Memorandum 22-09, its final guidance on shifting to zero trust.

The memo reiterates the criticality and urgency of zero trust, saying, “Federal applications cannot rely on network perimeter protections to guard against unauthorized access.” It also outlines key objectives, such as:

Eliminate dependence on conventional perimeter-based defenses to protect critical systems and data.
Provide secure access over the public internet without relying on a virtual private network.
Encrypt Domain Name System (DNS) and HTTP traffic using TLS 1.3 for all internal and external connections, including APIs.
De-emphasize network-level authentication by users and eventually remove it entirely.

But moving to zero trust has many different components; it is a process, not a one-and-done activity. It requires changes in policies and mindsets as well as technology. Following roadmaps such as the Cybersecurity and Infrastructure Agency’s Zero Trust Maturity Model provides a start to modernizing cybersecurity capabilities. Additionally, the memo mentions technical changes that agencies can use to evolve their organizational mindsets and protect assets. Below are three of these practical steps that agencies should take in the shift away from network-centric architecture.

Click the banner to get access to customized content on cybersecurity by becoming an Insider.

1. Inspect Encrypted Traffic While De-emphasizing Full Packet Capture

Agencies can be reluctant to move to modern, cloud-delivered security platforms because they cannot retain the full packet capture of the decrypted traffic. However, full PCAP is no longer as essential as it once was.

Agency employees can instead use metadata harvested from traffic flows to identify compromised hosts and then shift to endpoint capabilities — such as endpoint detection and response and forensic platforms — for further investigation.

PCAP systems that capture all user traffic are costly, inefficient and often depend on legacy network-centric security feeds that are hosted in the data center or at the network edge. Because full PCAP of all user traffic requires this backhauling, it also creates the user experience issue that agencies want to solve, an issue that the Trusted Internet Connections 3.0 initiative addresses.

The OMB’s zero-trust memo states, “Network traffic that is not decrypted can and should still be analyzed using visible or logged metadata, machine learning techniques, and other heuristics for detecting anomalous activity.”

Analyzing metadata about traffic flows is sufficient for agency incident response purposes and supports the administration’s zero-trust strategy. It also removes a commonly cited barrier to zero trust, since agencies do not need to route traffic back to centralized security stacks for decryption and storage.

2. Shift Agency Traffic to Encrypted DNS

Domain Name Systems are often abused and leveraged by advanced adversaries who increasingly possess sophisticated malware that threatens agencies’ legacy networks. Using DNS security is a win-win. It provides agencies like CISA with the ability to identify and prevent known domains derived from the unclassified and classified sources used by attackers.

If all agencies were using protective DNS, it would enhance CISA’s ability to respond to attacks that target multiple agencies and prevent further damage. Shifting to encrypted DNS protocols and configured endpoints that only use authorized agency DNS resolvers can prevent DNS spoofing and man-in-the-middle attacks in addition to stopping advanced DNS tunneling, malware and exfiltration attempts.

The Biden administration supports this approach. As the OMB memo notes, agencies should explicitly set up their endpoints to “use agency-designated encrypted DNS servers, rather than relying on automatic network discover.” It also notes that to support secure agency DNS traffic, “CISA’s protective DNS offering will support encrypted DNS communication and will scale to accommodate use from agency cloud infrastructure and mobile endpoints.”

3. Make Agency Applications Internet Accessible

When security technology sits at the perimeter of an agency’s network, it requires backhauling all traffic through the data center and VPN before accessing applications. This also creates a false dichotomy in which traffic from outside the perimeter is considered “untrusted,” while inside traffic is “trusted.”

CISA’s zero-trust strategy inherently does not trust any device, user or network location. It assesses each identity and device before granting access to an application. This reduces the attack surface since applications remain invisible to outsiders and accessible only to authorized users.

Federal agencies are encouraged to establish such safe internet connections. The OMB memo notes that making “applications internet-accessible in a safe manner, without relying on a virtual private network (VPN) or other network tunnel, is a major shift for many agencies.”

These are just a few of the steps agencies can take to move away from legacy thinking and shift toward cloud-based zero-trust solutions focused on connecting users to applications. Fortunately, the White House, OMB and CISA understand the challenges and are providing critical resources so agencies can finally make zero trust a reality. Our nation’s cybersecurity depends on it.

EXPLORE: Create a zero-trust environment among users as well as on your network.

Quardia/Getty Images