The Push to Zero Trust
On May 12, 2021, President Joe Biden passed an executive order (EO) on cybersecurity requiring federal agencies migrate from traditional, perimeter-based defenses to a zero trust architecture. The EO informed an important government response to the recent uprise of sophisticated and high-profile cyberattacks and the emergence of new, malicious threat tactics. The order was followed by OMB’s (Office of Management and Budget) Federal Strategy for moving the U.S. government towards a Zero Trust Architecture, and the more recent release of their 2021-2022 guidance for agencies, both of which have been designed to help organizations strategize to meet the key points necessary for zero trust that have been laid out by the EO.
What is Zero Trust?
In their Special Publication, 800-207, Zero Trust Architecture, NIST characterizes zero trust as an evolving collection of cybersecurity paradigms and concepts that allow security defenses to shift from functioning as static, network-based perimeters to functioning as perimeterless defenses that work to continuously authenticate and verify users, devices, and applications. The central principle to zero trust is to validate and authenticate everything—from component relationships to workflow planning, to access policies—and to make access control enforcement as granular as possible. Enforcing these principles reduce the attack surface and help prevent unauthorized access to data and services.
Two core zero trust mantras are “Assume breach” and “Never trust, always verify”. Put another way, all traffic entering a network, or even already inside a network, should be deemed untrustworthy unless it is verified.
The collection of cybersecurity concepts that together form the foundation of a zero trust architecture include:
- Enforcing continuous authentication to ensure that all devices, users, and identities who have access to a network are who they say they are.
- Eliminating persistent trust by ensuring that all privileged access and permissions are being continuously audited, and access is provisioned just-in-time, and revoked immediately upon completion of a task, change in context, or if a certain amount of time has expired.
- Implimenting least privilege to ensure that users, applications, and systems the minimum access they need. This will help ensure protect against malware execution, lateral movement attacks, and more.
- Enforcing segmentation and microsegmentation to isolate assets and resources and prevent lateral movement.
- Ensuring there is always visibility into who is doing what and why so any suspicious behavior can have permissions and access revoked immediately.
Together, these security paradigms control, prevent, or limit the impact threshold of any threat that does present itself to the network.
The Federal Government’s zero trust vision
OMB’s guidance for adhering to the federal government’s zero trust security goal places particular emphasis on how the federal government wants organizations to conduct data transactions and contextualize user activity and network access. It lays out five specific pillars across which organizations should make progress, and has set an achievement goal for the end of September, 2024.
The five pillars, or key progress areas, cited by the OMB include:
The following descriptions have been quoted directly from the OMB’s Zero Trust strategy:
- Identity: Agency staff use an enterprise-wide identity to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
- Devices: The Federal Government has a complete inventory of every device it operates and authorizes for Government use, and can detect and respond to incidents on those devices.
- Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin segmenting networks around their applications. The Federal Government identifies a workable path to encrypting email in transit.
- Applications: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.
- Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.
Why the urgent need to move to zero trust now?
The push to revamp agency cybersecurity processes came about in response to the evolving threatscape as well as due to the dramatic increase in the occurrence of high-profile cyberattacks, such as the SolarWinds and Colonial Pipeline breaches.
Today’s work-from-anywhere (on-prem, remote, or hybrid) workplace is sprawling beyond its former perimeters, with the number of devices, apps, cloud environments, and access points being driven to near-unmanageable levels. Today’s service edge is much further away from the network—it could include a cell phone that is being used on someone’s personal couch or a laptop that is being used in a hotel room in the Caribbean. Re-focusing security beyond the perimeter has become imperative.
For many organizations, controlling identity is a critical first step to constructing a zero trust architecture that meets the requirements of hybrid, cloud, and often multicloud network infrastructures.
How to achieve a secure zero trust environment
A secure zero trust environment is not a singular product or concept. As the new mandate points out, it requires a shift in how government agencies and commercial enterprises view and execute network security.
Rather than molding current cybersecurity defenses to a changing workplace, organizations need to take a step back and start by contextualizing their network activity. This will allow them to accurately understand how users behave on the network so they can plan the appropriate defenses. To acquire this level of comprehension, however, access needs to be rooted in a master concept of identity—which is why identity marks the first pillar of the federal government’s zero trust vision.
The new OMB requirements establish identity security as the foundation of zero trust. With the dissolution of the traditional network perimeter, identity has become the first and most critical line of defense to protecting data. Identity must stay top-of-mind for all organizations and must encapsulate all users and devices, if it is to be effective.
A ZTA requires organizations to fully understand the master identities of the users who are accessing the network. In today’s world, any one user identity can access data in multiple roles or locations, and a person can (and probably does) work from many different places. The network needs to carry that user’s master identity with them, but it also needs to be able to shed access permissioning for the data the identities no longer need.
Controlling Identity Starts with Privilege Access Management
Privileged Access Management (PAM) is a cornerstone of a zero trust architecture, and a key starting point for gaining a foothold on the identity pillar of OMB’s zero trust strategy. PAM encompasses the strategies and technologies that are used to control privileged access and permissions for users, accounts, processes, and systems across an IT environment. Privileged password management, endpoint privilege management, and secure remote access are three core solutions integrated within PAM platforms to enforce least privilege, manage and protect privileged identities, and to monitor and audit privileged access.
Least privilege and just in time (JIT) access are both called out specifically by NIST on its list of executive order-critical software. These PAM capabilities are noted for their ability to assist agencies with identifying software for the initial phase of zero trust implementation.
With the appropriate level of privileged access control, organizations can effectively shrink their attack surface, preventing, or at least mitigating, the impact of an external attack or insider threat (whether intentional or inadvertent).
Conclusion: Zero Trust Requires A Shift in Security Strategy
The most important things to remember when implementing a zero trust strategy are that:
- The traditional ways of protecting data networks are no longer adequate for today’s threat environment.
- No one vendor can provide a complete zero trust security architecture. Organization need to work with multiple interoperating solutions and vendors to meet zero trust mandates and provide comprehensive security.
- Security can no longer stop at the agency’s front door; it must extend to wherever the user accesses the network.
- Security planning must evolve for the future of zero trust This will entail learning more about user behavior patterns and implementing security based on anomalies with each identity.
BeyondTrust solutions help secure all cabinet-level Federal Civilian agencies and over 100+ Defense Department environments. We are trusted across all 4 branches of the DoD, including the 4th estate, with ATO’s both on the classified and unclassified side. Please contact us to discuss how we can assist in your agency’s zero trust journey, and download our expert dialogue for more insight into the government cybersecurity landscape from leading cybersecurity experts.
- Privileged Access Management is Essential to Zero Trust: A Candid Discussion with Government Cybersecurity Experts
- Security for Government Agencies
- Zero Trust Identity Security Datasheet
Josh Brodbent, RVP, Public Sector Solutions Engineering
Josh has more than 20 years in IT experience and has architected identity and privilege access management solutions for over 3 million user accounts. He joined BeyondTrust in 2018 as a Senior Solutions Engineer and was quickly selected to lead the team. Prior to BeyondTrust, he was a senior Solutions architect for Quest Software. He began his career by founding a managed service provider (MSP) at 12. He held multiple industry certifications by 14, making him the youngest in the nation to do so. That MSP went on to become successful, and ultimately his launching point into Public Sector architecture and support.