This week, the White House Office of Management and Budget released a memorandum to the heads of the executive departments and agencies, and called for a move towards “zero trust” cybersecurity principles. In essence, zero trust means that there is no trust across networks, devices or users, and it demands constant, real-time authentication from the users who are accessing data. Many cybersecurity experts tout the effectiveness of zero trust, as it is a significant departure from perimeter-based security, through which an intruder can often move freely through a network after penetrating it.
“In the current threat environment, the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” wrote Shalanda D. Young, acting director of the White House Office of Management and Budget.
A Zero Trust Architecture
Young further quoted the Department of Defense (DoD) Zero Trust Reference Architecture, which stated, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
The memorandum laid out the potential strategy for the federal government, which would include the following:
*Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
*The devices that Federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
*Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
*Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
*Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
Continuously Authenticated
Zero trust could help plug holes in networks – as the current perimeter-based security acts essentially like a sole gate or checkpoint. An example could be a bad actor who acquired a user’s identity and password through social engineering, and once logged on would have seemingly unlimited access. Zero trust could help address such a scenario.
“Securing only endpoints, firewalls, and networks provide little protection against identity and credential-based threats,” explained Lucas Budman, CEO of cybersecurity software vendor TruU.
“Users should be authenticated continuously, from the time they try to login to the moment they log out,” Budman told ClearanceJobs via an email. “Until organizations start implementing identity-centric security measures, account compromise attacks will continue to provide a perfect camouflage for data breaches. The initial step in any successful Zero Trust strategy should focus on granting access by verifying the person requesting access, understanding the context of the request, and determining the risk of the access environment. This never trust, always verify, enforce least privilege approach provides the greatest security for organizations.”
In addition, a zero trust construct can be designed to recognize that devices that access data – including laptops, desktops, mobile phones, etc. – would have unique identities that would be continually checked. Even when a legitimate device is used, it could be authenticated to ensure it isn’t bringing in something it shouldn’t.
“If the user only has access to non-sensitive or public information, the enterprise may not care that their device might have malware; however, if the user is trying to access sensitive financial or customer data, access should only be given to those devices that are managed, trusted and protected,” added Budman. “In any case, simultaneous device risk data and identity authentication allow customers to implement policies that respond to potential threats as they happen by stepping up identity verification on compromised endpoints and limiting access to high-value assets associated with those endpoints.”
Zero Trust – Not the Final Word
An important consideration is that zero trust should also be part of a solution to addressing cybersecurity, but not the only word.
“As part of any digital transformation, zero trust networks should be a key initiative that focuses on securing resources – data, identities, and services – rather than securing physical networks,” said Anurag Gurtu, CPO at cybersecurity research firm StrikeReady.
“By focusing on tailored controls around sensitive data stores, applications, systems, and networks, the Zero Trust model shifts the focus away from varying types of authentication and access controls,” Gurtu explained via an email to ClearanceJobs. “The Zero Trust initiative should be supported by other key initiatives such as modernizing the security operations as well as uniting and empowering cyberdefenders. Without one of these, an organization’s security will be shaky at best.”
Questions still remain, and this isn’t something that will happen quickly – certainly not with the way the federal government operates.
“The challenge of implementing this at scale, and doing more than the basics, can’t be fully overstated,” warned Jim Purtilo, associate professor of computer science at the University of Maryland. “The devil is always in the details of implementation, so everyone should recognize what kinds of tradeoffs this will bring. Access controls are important but at the same time there is control over access, meaning some activities inside the castle walls which were fairly convenient or streamlined in the past will now be less so.
“We should remember one of the early definitions of ‘distributed computing,’ which is where a machine you’ve never heard of can stop you from getting work done,” Purtilo told ClearanceJobs. “When that computing is an access check then yes, machines you’ve never heard of can malfunction, reconfigure or just decide you aren’t who you are, and that will block you from access to facilities, services and data. Again, if that’s an aggressor trying to access it then the block is just what we want, but this can impact workers day to day too.”
Unfortunately, zero trust may still face the weaknesses of having too many individuals being provided access to our networks.
“This directive doesn’t address the most vulnerable opening in our systems: people,” warned Purtilo. “No aggressor attacks the castle walls at the strongest points – they go for the weakest point of defense, and that is always people.”