How NTSB Leans on Microsegmentation to Improve Its Security Posture

The National Transportation Safety Board began implementing microsegmentation tools in 2017.

“Like most modern networks, the NTSB network was segmented into smaller, compartmentalized sub-networks based on the sensitivity of the assets or services, which is a way to subdivide the network into smaller chunks,” CTO Victor Pham says. “Microsegmentation, by definition, segments our enterprise into even smaller components at the application level or the workload level.”

Microsegmentation can be designed to differentiate between endpoints, containers or other defined segments, and offers increased visibility across each, which can help administrators identify and detect threats and stop lateral movements through a network.

“It’s a granular approach that allows you to map out who was talking to whom, what and where. This is especially important for government organizations that don’t typically have a lot of visibility in their environments,” Rivera says.

Microsegmentation is increasingly essential in zero-trust environments, part of a 2021 executive order requiring all federal agencies to improve their cybersecurity postures. Zero trust deems all users, devices and workloads untrustworthy unless they are verified.

“Microsegmentation combined with user identity and endpoint security is the Holy Grail of zero trust,” Pham says. “With those three, you have a foundation and can layer any agency-specific risk management functions on top.”

Microsegmentation Evolves at NTSB

When the NTSB security team first explored the potential for microsegmentation, the agency had three regional offices and a headquarters in Washington, D.C., which were interconnected using multi-protocol label-switching to speed routing. Remote access to the enterprise resource was a tunnel through a VPN and Trusted Internet Connections, also in D.C. But this traditional remote access setup didn’t meet the agency’s computing needs in the cloud computing era.

“At the time, our federal mandate was that every agency had to use TIC,” Pham remembers. “As good as it was, it didn’t work well for cloud infrastructure, and our agency needed to be in the cloud.”

The old network also was vulnerable to insider threats.

“Our old setup was like a fortress, but the inside was like a marshmallow,” Pham says. “If you got in, you could access anything you wanted.”

Remote access to the NTSB resource was suboptimal: “Can you imagine an investigator in Alaska trying to log in to a VPN session in D.C. to get to a service at the HQ or in the cloud? It was just painful. We had to find something that met our business needs,” Pham says.

The NTSB tested Zscaler in a 2017 pilot, but the move was gradual. The agency first needed to create an infrastructure that would support the move to the cloud. It built three WAN nodes at its regional offices and linked them via a high-speed connection before layering on the Zscaler platform as a replacement for the previous VPN structure, and it has expanded its use of microsegmentation ever since.

In 2020, the NTSB migrated core applications and services to Microsoft Azure Government. In addition to the benefits of security in a managed FedRAMP cloud environment, the new infrastructure has greatly cut down on the time and bandwidth needed to collaborate on and complete investigations.

Regardless of how much the NTSB increases its cloud presence, microsegmentation is a major component of the agency’s zero-trust architecture.

“Traditional security measures protect north-south movement; it’s easy to monitor traffic going in and out of the system,” says Pham. “Preventing the lateral movement — the east-west movement — that is much more valuable.”

LEARN MORE: Evolving the zero-trust security model for business.

Enter Thunderdome, DOD’s Zero-Trust Architecture

At the Defense Information Systems Agency, the mission to support military and civilian defense leaders with IT tools and infrastructure to do their jobs effectively has been aided by microsegmentation. Where DISA at one time allowed broad access to everything on the agency’s network, zero trust has now stepped in.

“Historically, if you logged in to the network, you had access to everything, and that’s broad access we don’t want to allow anymore,” says Brian Hermann, program executive officer with the Cyber Security and Analytics Directorate at DISA.

The move to zero trust was mandated by both the White House and Department of Defense, which released its zero-trust strategy and roadmap in 2022 with the goal of achieving a complete zero-trust network architecture, known as Thunderdome, by 2027.

Microsegmentation is a valuable tool in those efforts.

“When users log on to their machines, they don’t have access to anything they shouldn’t,” says Hermann. “That means we have to define those things that are critical components.”

DISA works with partner agencies in a variety of ways, ranging from assisting them with creating and securing their networks to hosting and running their networks for them.

“The Defense Department provides the backbone — the Defense Information Network — and we provide the ‘connective tissue’ in terms of transport and security functions, which connect all of those enclaves and hosting environments,” he says. 

His team has tested several microsegmentation technologies within cloud environments hosted by Microsoft, Amazon, Google and Oracle.

“The tools are agnostic of your hosting environment; if you’re in any of those clouds, you can leverage the same solution to microsegment other applications,” Hermann says. “Our path forward is zero trust, and microsegmentation is part of what will help us achieve that.”

DISCOVER: How organizations can address emerging security challenges with zero trust.