Zero trust moves from vision to reality

It wasn’t that long ago that zero trust was an aspirational goal for federal agencies. While the benefits seemed obvious, actual implementation was difficult to imagine. Now, zero trust efforts are starting to  power up. The Defense Information Systems Agency has issued the first version of its zero-trust reference architecture, and Federal Chief Information Security Officer Chris DeRusha has said the White House will push all federal agencies toward a "zero trust paradigm."

A group of IT leaders recently gathered to explore why this long-discussed concept is finally getting traction and the challenges still remaining. The discussion was on the record but not for individual attribution (see sidebar for the list of participants), and the quotes have been edited for length and clarity.

Here's what the group had to say.

Government's interest in zero trust originally focused on computer networking. Yet when the federal CIO Council asked ACT-IAC to explore the applicability of zero trust security in 2018, "it became apparent almost at light speed that it's bigger than the network," one official recalled. "We're talking about zero trust architectures, not just zero trust networking. Networking is a very critical subset of the discussion, but it's really about that architecture."

To illustrate that broader scope, consider the variables that can feed into a dynamic risk assessment, another official said. "I used a PIV card versus a username and password. There's a different risk to those things. Did I come in on a mobile device? Is it a managed mobile device? Am I coming from a known network?" The data being accessed can also be an important indicator and so can the individual user's overall performance or job status. "It's got to be ongoing authentication. You've got to keep checking."

One official pointed out that there are four main elements of a zero trust architecture. "The first, of course, is ICAM and identity. Next, we need to talk about data," which includes the data to be protected and the data needed to assess risk and determine trust. Third is "the control fabric or the control plane, and that's really all these technologies that we've been talking about."

Finally, the official said, "we get to the fourth piece, which ACT-IAC calls the trust engine. NIST calls it the policy engine. And it's really about where we are using tools and technologies like machine learning, artificial intelligence and even just robotic process automation" to make sense of all the data and grant or restrict access based on dynamic risk assessments.

"Zero trust is a model, and the model changes over time," another said. "SolarWinds is a good reality check. Here's a product a lot of people are using. They trusted it on their network. They didn't think it would be exploited. It was just a given, like we trust our inside employees."

Ideally, zero trust should extend throughout the supply chain, that official added, but even a limited implementation would have helped minimize the impact of the SolarWinds breach by detecting "the lateral movement and the escalation of privilege."

Whether the threat is ransomware, persistent nation-state attacks or "anything that's self-propagating," another participant said, zero trust is "incredibly effective in reducing the impact of all those types of attacks. So that makes it really, really key."

Data, data and more data

Such a holistic monitoring and automated risk management effort requires a tremendous amount of data, the group agreed.

"There are datasets that you're going to want to bring in that haven't traditionally been there," one official said. Physical access logs and data that usually lives with human resources are important. "Are we tied into the travel system? Are we tied into the performance system? Are we tied into onboarding and off-boarding? When we start to paint a picture about the risk and when understanding risk is quantified, we have to start thinking about these data sources" that don't normally feed into a security information and event management system.

"For example, someone gets a bad performance review, and then all of a sudden we start to see a lot of data traffic and a lot of file [input/output]," that official said. "Those two things together are pretty suspect. And so when we think about the zero trust architecture, we have to start broadening that concept."

"In many cases, this is new for organizations," another participant said. "There's heavy bifurcation and firewalling between those areas. To move zero trust forward into its truly optimized form, we have to be working with our chief data officers to understand what data we have in the environment that might be useful for us." Chief privacy officers are also essential to the effort, the official added.

Even with the data feeds more traditionally used for security, the old ways of operating need to be revisited. Security teams can no longer own all the tools, one official said. "For most of us, when we deploy security, by golly, that means pizza boxes in the data center. We have to take a step back and be willing to say, 'What I really need is the data. And I need it in this format and in this frequency in this place. And if you can get me that, do what you want, but I need the visibility so I can understand risk.'"

The governmentwide commitment to zero trust is real, the group agreed. It comes up in virtually every discussion by the CIO and CISO councils, participants said, and there was optimism that the recent infusion of money into the Technology Modernization Fund could be a catalyst. "Something that really drives hard has to be backed with the right resources," one executive said. "There's a big hope that the CISOs, the security folks and the CIOs are going to step up and say, 'We want to make some big shifts in cybersecurity.'"

"We've got the people who are the early adopters moving forward," another observed. The real question is: "How are we gaining the momentum for the masses?"

A longer version of this article was first posted to FCW, a sibling site to GCN.