In a world of increasing cybersecurity risk, there’s a lot of buzz in the federal IT industry about zero trust architecture. Many are wondering what it is, what it means to their organization and what actions it defines.
In the simplest terms, ‘zero trust’ is a set of consolidated standards and guidelines that support the development of a no trust or low trust secure architecture that can adapt to changes in data rights and even risk. Coined by Forrester Research analyst and thought-leader John Kidervag, ‘zero trust’ is based on the principle that nothing can be trusted. Under this philosophy or paradigm, no device, user or application is considered to be secure.
The term zero trust architecture is currently used mostly in government (it has references in US Department of Defense [DoD] ZTA and National Institute of Standards and Technology [NIST] SP 800-207), but the architecture is being supported and refined across many high-risk and high-compliance industries, such as banking and healthcare. It also incorporates security and privacy standards from across industries and technologies. Like the NIST SP 800-53, zero trust architecture provides a centralized set of requirements to set your security and privacy targets for your architecture.
The architectural components of zero trust include the:
- Policy engine, which provides the final decision in granting access to a resource.
- Policy administrator, which establishes access to a resource.
- Policy enforcement point, which serves as a system gateway for activating, monitoring and terminating connections between authorized users and their accessed resources.
THE EVOLUTION TO ZTA
Some of this may sound familiar to you. Zero trust architecture reminds me of a modern day version of defense-in-depth. Defense-in-depth was conceived by the National Security Agency and is a concept used in information security, in which multiple layers of security controls (defense) are placed throughout an IT system. The intent of the defense-in-depth security approach is that a series of security mechanisms and controls are thoughtfully layered throughout a computer network to protect the confidentiality, integrity and availability of the network and the data.
One of the major differences between NIST SP 800-53 and zero trust architecture is that ZTA focuses on users, assets, and resources, and, more specifically, is more data centric. Defense-in-depth sets up multiple network domains, tries to limit the attack surface across assets and focuses on ports, protocols and services. Zero trust architecture goes a step further and focuses on no trust and places more emphasis on data protection. It brings the policy engine, the policy administrator, and the policy enforcement point into a more centralized and manageable architecture. Since ZTA is an architecture, it also supports consolidating existing standards and adopting many new standards that combine traditional security tenets of least privilege, which only grants sufficient permissions to accomplish specific actions, and defense-in-depth. Defense-in-depth takes it a step further by inserting layers and gates of security at all relevant control points in a use case. Zero trust architecture includes both.
To meet this standard of security, one must design a simpler and more secure architecture without impeding operations or compromising security. The classic defense-in-depth cybersecurity strategy has limited value against well-resourced adversaries and is an ineffective approach to address insider threats.
DETERMINING THE RIGHT APPROACH FOR YOU
So, given the background of what zero trust architecture is and how it has evolved from earlier security standards, what does it mean today for federal contractors?
If you’re an organization that is working with the DoD, this level of security is not a nice-to-have, but a must-have. Anyone supporting DoD or civilian federal agencies will have to address the requirements that are starting to consistently arise from federal customers. As an example, statements of work from the DoD are starting to include a section on zero trust architecture. Per the Cybersecurity Executive Order, we will also start seeing the requirements show up in federal civilian agencies, followed by state and local agencies, especially where it appears in contract flow downs.
Knowing this is the direction the industry is heading, your organization should conduct a gap analysis and then move to setting up a zero trust level of security. What you ultimately determine for your organization needs to make business sense and security sense. As we all know too well, these cyber and privacy requirements need to be integrated early on in development, as none of the changes can be done overnight. ZTA is a marathon, not a sprint.
One of the key questions at the beginning of any gap analysis is whether you will be supporting customers that need zero trust architecture, or even more importantly, require it. Ask yourself whether adopting this architecture will provide the additional cyber and privacy controls needed to provide a more resilient system and protect our most critical data. Decide if you are going to build or buy, though you are probably going to do a little of both, as out-of-the-box zero trust architecture is not likely to meet all of your long term technology, organization and process needs. Many security and privacy standards are still being updated and will be refined as new threats evolve or even older ones find vulnerabilities in ZTA.
If you decide to build these solutions in-house or even outsource to a consulting firm, make sure you have the right resources; resources that understand architectural needs, have the coding capabilities and also are familiar with the compliance requirements. Identify a project owner who understands cyber and privacy and can bring different organizations together to support the architecture.
YOUR STEPS TO ZTA
Once you determine if you are building or buying:
- Define your ‘protect surface’ or boundary that needs to be included in the ZTA
- Map your data, network and transaction flows
- Define your target ZTA architecture
- Create a zero trust policy for your organization – ensure you define how the different components work and provide details
- Identify and document the gaps
- Implement the gaps into your roadmap with timelines and resources
- Monitor and maintain a zero trust environment
Zero trust architecture is not something that can be achieved overnight. It’s going to be a marathon for you and your organization. Since it is not going away, now is a great time to begin training. It will be part of doing business in 2022 and beyond.
Waylon Krush is currently a Chief Technologist (Cyber) for Motorola Solutions. He may be reached at Waylon.Krush@motorolasolutions.com†