Adopting and deploying a zero trust architecture (ZTA) is a major pillar of improving cybersecurity, as President Biden directed in Executive Order 14028, “Improving the Nation’s Cybersecurity.”
Zero trust essentially means that an IT system requires authentication every time the user attempts to access a given system or resource. In a classical perimeter defense, IT managers try to harden the network, making it secure and compliant, and deploy assets into that environment. Zero trust, in contrast, focuses on the security and compliance of assets, regardless of their physical or network location. It does not assume that everything behind the enterprise or agency firewall is safe; instead, it verifies each access request. Regardless of the request origin or which resource it attempts to access, Zero trust represents the core concept of “never trust, always verify.”
ZTA expands beyond a product or specific solution. It becomes a journey to a broader strategy for modern security, adapting to today’s complex, borderless environment. Rapid digital transformation, including the mobile/remote workforce, engenders a complex, evolving environment. Against this backdrop, ZTA protects employees, devices, apps and data wherever they are located.
A ZTA or framework requires implementing controls and technologies across all foundational stacks of the enterprise ecosystem. While several several formulations exist for these stacks, my model includes six: identities, devices, applications, data, infrastructure and networks. Each of these stacks provides a source of a signal or alert, a control plane for enforcement and a key resource to protect.
NIST analyzes ZTA
The National Institute of Science and Technology (NIST), in its NIST Special Publication 800-207, “Zero Trust Architecture,” provides a comprehensive analysis of ZTA and a detailed analysis of the risks and rewards of implementing it in an enterprise, whether public sector or private. It includes seven key tenets that effectively define ZTA:
- All data sources and computing services are considered resources.
- All communication is secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy.
- The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
- The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications. Then, it uses that information to improve its security posture.
The common thread through all of these: A zero-trust architecture takes nothing for granted. It doesn’t matter whether the request for a resource comes from within the organization or from outside. If the system just authenticated a user 15 minutes ago and the user requests access to the same resource again, ZTA requires a new authentication.
It also calls for a least-privileges approach: the user gains access to the resource with only the privileges needed to complete the task. I recommend anyone interested in the details of implementing ZTA read the whole NIST document.
NIST also highlights the close connection of ZTA to the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program. Quoting SP 800-207: “Having a strong CDM program implementation is key to the success of ZTA. For example, to move to ZTA, an enterprise must have a system to discover and record physical and virtual assets to create a usable inventory. The DHS CDM program has initiated several efforts to build the capabilities needed within federal agencies to move to a ZTA.” CGI has supported the CDM program for over five years.
Getting to zero: Implementing ZTA
Agency requirements, deployed technologies and maturity of security stages all contribute toward a plan for a ZTA implementation. Zero trust security is most effective when integrated across the entire set of foundational stacks, based on the mandated timelines.
Organizations will need to take a phased approach that targets specific areas, based on their zero trust maturity, available resources and priorities. They need to start small to build confidence.
We recommend starting the zero trust journey with “identities,” which include people, services and Internet of Things devices. (IoT devices represent both identities and devices and IT managers should treat them accordingly.)
Identities are a common factor across networks, endpoints and applications. In a zero trust model, they function as a granular, flexible and strong way to control access to data.
Organizations could start the zero trust project for a single foundational stack, but work still needs to happen on the others, like a “block and tackle” approach. They share common approach components in terms of visibility, analytics, building automation and orchestration, as well as overall governance. CISA’s Zero Maturity Model document (recently closed for comments) provides zero trust journey steps for these foundational stacks.
In conclusion, ZTA continues to gain momentum worldwide as a new security architecture. Organizations can use existing capabilities to support the ZTA journey, adding new capabilities over time to build toward a mature ZTA. Through executive support, along with careful planning around people, processes and technology, ZTA will greatly reduce an agency’s attack surface area. In this age of rapidly growing threats, that important goal significantly enhances an agency’s security.
For more cybersecurity information and insight, visit Protecting America’s Assets.