It’s clear from the recent spate of cyberattacks on government networks, be it the SolarWinds incident or the Russian intelligence breach of the Treasury and Commerce Departments, our adversaries are finding new ways to infiltrate government systems. Once considered impenetrable, the U.S. now lags behind in cyberwarfare.
As Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, recently explained to lawmakers on the Homeland Security and Government Affairs Committee, “Our adversaries have advanced, they are no longer using the same infrastructure to target us repeatedly.” It is imperative that we adapt our security practices.
One of the approaches under discussion is zero trust.
Zero trust is based on the assumption that everyone, inside or outside the network, could be a threat. It is the strategy of skeptics, which in the field of security, pays significant dividends.
In the current climate though, zero trust has become a bit of a buzzword. It’s important to examine how the term is being deployed and what the connotations are. While the National Institute of Standards and Technology and the National Cybersecurity Center of Excellence provide specific definitions of what’s considered zero trust architecture, the basic idea calls for a single authenticated source of user identity combined with additional context, like policy compliance.
Practically speaking, zero trust involves adopting very granular, rigid user identification policies, strict authentication, role-based access, time and/or location access, and a host of other conditions that define when, where and how employees can access systems and digital assets. Data and resources are segmented down to the personal level. There is a new level of control so that any threat, even an internal one, can be contained.
How zero trust differs from previous approaches
Zero trust is a far cry from the guiding security principles that have been in place for decades. Frederick the Great once said, “He who defends everything, defends nothing.” This maxim led to a perimeter-based approach, where defenses were erected to safeguard what was inside the perimeter walls, protecting the network from any external threat.
That approach works great as long as agencies can absolutely guarantee that no threat can sneak in — and that they have no bad actors within their organization. This is simply no longer a reality. Bad actors, foreign and domestic, are finding ways to pass through perimeter defenses — maybe through a bug that wasn’t fixed, a patch that wasn’t installed or a system that was outdated or misconfigured. Once inside the perimeter, adversaries can explore systems undetected, often for months or even years, stealing secrets, wreaking havoc, spying … the list goes on.
Plus, with so many government employees working remotely during the pandemic, perimeter walls have gotten fuzzy and massively complex. Employees no longer have ready access to their IT departments, nor do they benefit from their usual protections. As such, threats have escalated in number and potential danger. Intruders see big opportunities from even the slightest slip.
Zero trust is the paranoid response. It is the “know the secret knock, show two pieces of ID, use the code word and the special handshake to gain access to specific resources” cousin of perimeter security — and it is perpetually in force, questioning everything and everyone. This occurs concurrently with security and system hygiene applications running in the background.
It’s not that simple
From this perspective, zero-trust technologies seem to be exactly what the U.S. government needs to protect its most sensitive data and operations. But is anything really ever that easy? Agencies don’t just flip a switch to turn on a zero-trust environment; it requires a major commitment and ongoing administration. Access and privileges are constantly changing and need incessant monitoring. Policies often must be altered to cut off access immediately. It’s an intensive effort.
It can also sink productivity if agencies attempt to implement zero trust at the highest scale. If they don’t though, they might wind up with a piecemeal approach that still contains gaps — even tiny ones — that could expose vulnerabilities.
That said, zero trust has been years in the making, only drawing attention now as the associated technologies mature. It is well designed for today’s world. It requires enormous planning to implement effectively and will require constant tweaking, but it has to start somewhere.
To move to zero trust, first and foremost, agencies should expect legacy systems to remain in place for a while, which means they won’t be wasting existing investments. Then, agencies should review their most sensitive data and workflows to determine what needs greater protection and where they should limit access or manage sessions, starting with classified documents that should require multifactor authentication, privileged access or session management. Everything else can continue under perimeter control until it makes sense to make additional changes. Zero trust can be rolled out gradually.
No zero trust strategy is perfect, and each deployment will evolve as needs are assessed. If an agency enters into zero trust with the right resources and expectations in place, however, it will go a long way to protecting government’s most sensitive assets from assault and exploitation.
As first published in Government Computer News.