Why Government Needs to Move Quickly to Zero Trust
Most experts agree that the best path forward would be zero-trust networking, although the concept is defined differently depending on who you happen to ask.
With so many government employees working from home, and no indication that this will end anytime soon, the federal government needs to upgrade the way it handles networking to tighten security for this new environment. Most experts agree that the best path forward would be zero-trust networking, although the concept is defined differently depending on who you happen to ask. Entire books could be written about the intricacies of zero trust, but by way of an explainer here, I will attempt to clearly define it for anyone considering upgrading security for their agency.
The federal government was already taking steps towards zero-trust networking late last year in an effort to improve overall security. The NIST National Cybersecurity Center of Excellence (NCCoE) and the Federal CIO Council hosted a two-day Technical Exchange Meeting on defining zero-trust architectures last November. And then in February, NIST updated its Special Publication 800-207, which helps to make the case for zero trust in government. So the government was already thinking about zero trust. It’s just much more necessary now with the pandemic forcing so many people to work from home.
The special publication gives a nice overview description on zero trust. “Zero trust is the term for an evolving set of cybersecurity paradigms that move network defenses from static, network-based perimeters to focus on users, assets and resources,” it says. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).”
The document brings up a good point that under current networking policies, users coming in from a trusted network such as another government agency, or from a location where they have already verified their credentials, are normally given full access to data and agency resources without further review. But zero trust instead considers the fact that because everything is connected, that it’s possible that a so-called valid user might actually be an attacker. At the very least, every user is monitored based on their activity.
Defining Data Sensitivity
Unfortunately, getting to zero trust can’t be done with a single product or platform. It often requires a bunch of different technologies like multifactor authentication, single sign-on, continuous monitoring and others working together in a zero-trust framework. But that also means that it can be implemented in stages, with various components coming online where they can do the most good and with the least amount of disruption. It’s why the government is backing programs like Continuous Diagnostics and Mitigation (CDM) and Federal Identity, Credential and Access Management (FICAM) as steps along the path toward the ultimate goal of zero trust.
One of the foundations of zero trust is the categorization of data, applications and assets based on their importance or, especially in the case of government, secrecy levels. For example, you could categorize an entire database as critically important, while an agency’s web servers are defined as needing less protection. Applications and services should also be defined by security or secrecy. In a highly secure environment, even individual files and folders could be flagged as needing upgraded protection.
Once data and assets are categorized, agencies can take that information and build zero-trust policies around it, especially if they have also implemented CDM. For example, a user who came from a trusted network might be OK if they want to access information about their federal holidays. But if that same user wants to search for personal information about other employees, they should probably be challenged to prove their identity and verify that they are able to look at that data.
This could be done in a variety of ways, with the most common being the issuing of a multifactor authentication (MFA) challenge where they have to enter a code sent to their smartphone, or enter the algorithmically-generated PIN on their government-issued security token. Only then would they be allowed to proceed with viewing any data with a higher classification.
Evaluating Risk
The example I made up was a pretty simple one to show how zero trust works. Unfortunately, it's normally a lot more complicated than that. In a well-designed zero-trust environment, there are thresholds of activity and circumstances that define risk, and how much of it an agency network should accept before challenging users for additional credentials. And it can be a tricky balancing act.
When continuously evaluating a user, activities such as if they are connecting to the network from a valid location, the strength of their password, if they are using an approved device and what they are trying to do should all be considered. If any of those evaluations are not met, like if a user is working from a foreign country that they have never logged in from before, it still might be okay to give them access to shared or non-classified information. Perhaps they are traveling abroad. So that might be an acceptable level of risk.
However, if that same user crosses another threshold, like if they are using a smartphone that has not been approved, or if they suddenly want to access more critical data, the risk might suddenly be too high. In that case, zero trust would automatically take additional steps. They might be given an MFA challenge, temporary blocked or even booted from the network depending on the severity of the risk spike and how zero trust is defined for that agency.
Getting to Zero
Given the complexity of zero trust and the size of most agency networks, it’s no wonder that government is taking its time getting to zero. Zero trust is also well-known enough today that there are lots of resources for agency officials looking for more information.
The NIST special publication is, of course, highly recommended. Another good report was created by the American Council for Technology-Industry Advisory Council at the request of the Federal CIO Council, that defines six strong pillars for a zero trust security model. Research firm Forrester defined a zero-trust philosophy that it calls a Zero Trust eXtended (ZTX) Ecosystem, while Gartner calls its model Continuous Adaptive Risk and Trust Assessment (CARTA). Google also has a working model of zero trust that it calls BeyondCorp.
The pandemic has enhanced the government’s interest in zero trust, but it was already moving in that direction beforehand. With the research and work already put into defining zero trust within government, federal agencies are in a good position to at least begin putting elements of the platform in place. In many cases, different components probably already exist in most federal networks. They just need to be tied together into a zero-trust model that works for government.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys