Agencies building zero-trust networks should start with a single, successful application and modularize successive components, according to public and private sector security experts.
Introduced in 2004, zero trust (ZT) is a cybersecurity framework rooted in the notion that the network is always hostile and every device, user and flow must be continuously authorized whether they’re local or not.
A recent American Council for Technology and Industry Advisory Council report found that no single vendor currently offers a holistic ZT solution. But agencies performing information technology modernization can make apps with security baked in and through repetition can “be well on their way” to having a zero-trust environment, Sean Frazier, advisory chief information security officer of federal at Duo Security, told FedScoop.
“The biggest challenge that government agencies have is they tend to try and boil the ocean, so they tend to look at zero trust and go, ‘I’m going to layer this over my entire agency,’” Frazier said. “That will never happen.”
As agencies do assessments they may find that they’re “a little zero-trusty anyway,” he added.
Many agencies already have strong identity management tied to an authenticator as part of compliance, said Steven Hernandez, CISO at the Department of Education, on Wednesday during an ACT-IAC panel that also included Frazier.
Using authenticators — such as physical security tokens or apps that generate temporary codes exclusive to the device — is already an emphasis of ZT. So the next step, Hernandez said, is to automate the process and tie authentication to behavioral analysis. The result is that the process is tied not to something that a person has, but to physical traits that are unique to them.
“This checks many boxes, not only in the [National Institute of Standards and Technology] space, but also what [the Office of Management and Budget] is asking us to do and a lot of the counterintelligence folks are asking us to do on the [Director of National Intelligence] side,” Hernandez said. “So zero trust can drive a lot of the compliance programs we already have, if we do it right.”
Endpoint management, continuous diagnostics and mitigation, software-defined networking, microsegmentation and cloud monitoring are other things agencies are already doing that can easily be leveraged as part of ZT rather than replaced, he added.
While Frazier argued agencies should get started on ZT now and identify additional data sets as they go, Hernandez advocated for a more measured approach.
“We have to understand our data; we have to understand how our users interact with that data and how important that data is to our mission,” Hernandez said. “If we can’t answer that fundamental question, then don’t even start down the zero-trust path because you’re going to spend a lot of money on a very expensive capability — that’s incredible and can do amazing things — but you’re probably going to [distributed denial of service] yourself before you actually deliver something that looks like zero trust.”
This is particularly challenging when vendors don’t want to give agencies data from their tools about risk to the enterprise, he added.
NIST has an opportunity to standardize ZT so that agencies and vendors have a shared language around implementation — particularly important because every agency’s ZT framework will involve multiple vendors, Frazier said.
In the meantime, agencies can still take the ZT plunge, said Jeffrey Flick, acting director of the Enterprise Network Program Office within the National Oceanic and Atmospheric Administration.
“From a federal perspective, you have to be willing try a pilot,” Flick said. “We’re not real good at that.”