For those who work in Department of Defense (DoD) and Government contracting, the term “Zero Trust Architecture” (ZTA) can be found everywhere, an oft-quoted buzzword that outlines the future of cybersecurity for our Nation’s networks and systems. So, what is ZTA really, and how will it affect security standards and processes in the future? This article will outline the concept behind ZTA, the mechanisms that support its operation, the upcoming effects for organizations, and how a business can begin preparing for ZTA requirements.
What Is Zero Trust?
Zero Trust is just that – a security model that uses automated safeguards set to “never trust” for all access. It is based on the concept of “never trust, always verify,” which removes the idea of trust by default for both users and devices. The model for ZTA requires constant verification and validation that entities are authorized to access protected information or processes and have a legitimate purpose for doing so, providing a level of no or zero trust in all users – even those who have been previously validated. ZTA is considered the latest gold standard for securing information and networks.
With more than 60% of the global population connected to the internet and countless smart devices expanding our attack surface (think laptops, mobile phones, tablets, smart watches – even refrigerators!), the number of cybersecurity incidents has increased exponentially year over year. Phishing attempts, data breaches, ransomware attacks holding systems hostage – every click puts us at risk of an incident. ZTA seeks to reduce this risk significantly by requiring continuous authentication, authorization, and validation of users and configurations in order to grant or maintain access to devices, applications, data, or systems. ZTA is a necessity in today’s work environment, which has changed dramatically through remote work and hybrid cloud environments.
How Does It Work?
ZTA moves away from the traditional “trust but verify” method for network security, where users or devices that are acting within an organization are automatically trusted in accordance with security policies. In reality, users and threats can change quickly, even within the perimeter of an organizational system. By implementing ZTA, we remove this threat by requiring continuous verification of resources. ZTA aligns with National Institute of Standards and Technology (NIST) 800-207 to provide this continuous verification, as well as minimize the impact of breaches and automate context collection and response.
Examples of tools that support ZTA are next-generation endpoint security, Multi-Factor Authentication (MFA), identity protection, and cloud workload technology. Because ZTA requires real-time visibility to continuously vet resources and access requests, Artificial Intelligence (AI) and Machine Learning (ML) technologies also play a key role to provide accurate and rapid response.
NIST guidance recommends several methods to enable ZTA for workflows, all of which use different components and policy rules. Full ZTA solutions use elements from all three of the following approaches:
- Enhanced Identity Governance – In this approach, access is governed by actor identity and assigned attributes, which are outlined in the organization’s policies. Access privileges can be affected by environmental factors, asset status, or device used, leading to limited access in certain scenarios. This approach can be employed using open network models or enterprise networks with visitor access, allowing network access to all assets but restricting access to specific resources that have the correct privilege levels.
- Micro-Segmentation – This method works by placing specific individuals or resource groups on unique network segments that are secured with gateway security components. Micro-segmentation can be performed using either software agents or security devices like next generation firewalls. It requires all Policy Enforcement Points (PEPs) to be accurately configured and able to respond quickly to potential threats.
- Network Infrastructure and Software Defined Perimeters – The final approach relies on overlay networks or software-defined perimeters to manage access. Network control is managed by the Policy Administrator and uses the Policy Engine to set up or reconfigure the network. Access is requested through the PEPs managed under the Policy Administrator. This method typically uses an agent/gateway deployment model to establish a secure communications channel between the client and the resource.
How Will ZTA Affect Us?
In May 2021, President Biden published Executive Order (EO) 14028, which directs implementation of ZTA on U.S. Government networks by September 2024. Federal Agencies are already planning their ZTA implementation as outlined by NIST and this EO. The continued focus on migration to cloud architectures is also driving the need for ZTA.
EO 14028 is certain to affect businesses that support Government contracts, as it will trickle down as a requirement or a preferred option for competition. It is quite probable that Contractors will begin to see ZTA requirements written into competitive acquisitions, and they will be required to demonstrate successful use of ZTA in order to be awarded a contract. Considering a full ZTA can take anywhere from two to three years to implement, it is vital that Contractors begin preparing themselves NOW, as even the smallest steps will help prepare for the inevitable.
What Can We Do to Prepare?
The evolution to ZTA presents significant challenges to any organization not already practicing Zero Trust. Some of these challenges relate to the complexity of an organization’s networks, while other challenges involve ensuring availability of information. As we move toward a ZTA standard, many organizations will encounter steep learning curves for staff, and all will face budgetary challenges. Implementing ZTA will require significant expenditures on equipment, products, and services. It cannot be resolved successfully with a single, simple engineering solution; however, organizations can start taking steps now to prepare for ZTA and lessen the administrative and financial burden before a formal requirement is created.
Consider working to understand your organization’s protected Data, Applications, Assets, and Services (DAAS) as a starting point and how these flow through the organization. This can be accomplished by defining your critical DAAS. Once this information is defined, an organization can begin to understand who uses DAAS, how it is used, and what systems use it or connect to it. Knowing this information will help a business to right-size its ZTA implementation. Many organizations will learn that they have staff that never use protected DAAS or have limited use of these items. Understanding this will enable proper segmentation of network and system access.
Second, maximize efficiency by reducing the Zero Trust protect-surface. Many IT professionals understand the concept of the attack-surface in an organization, but efficiency requires a pared down approach that focuses on the protect-surface, the DAAS that must be controlled by ZTA implementation. DAAS that does not require protection can remain business as usual until the ZTA is fully matured and ready to expand. With a full comprehension of the protect-surface, an organization can logically or physically segment it from the rest of the network. After implementation, the segmentation is streamlined for more efficient monitoring.
Third, aim for cost-effective solutions, rather than no cost or inexpensive options. The reality is this transition will cost a business both time and money to implement a functional, effective ZTA. A purchase list may include new network traffic management devices or services, network monitoring features, MFA tools, and other items that could require additional support staff. Keep in mind, however, that ZTA is not a cheap and easy add-on feature. This is an entirely different architecture that will require new approaches that differ greatly from ordinary, legacy business technology solutions. The best ZTA solutions are as seamless and automated as possible and offer clear, understandable monitoring and reporting of key metrics. In this instance, the adage “You get what you pay for” is highly relevant!
Finally, ensure policies reflect the changes in architecture, access controls, staff awareness, and any other aspect impacted by the new reality. Policies and procedures must be well documented, securely stored, and available for audits and compliance checks. Some companies prefer to start anew with their policies, marking the beginning of their journey as both “Zero Trust” and but “Day Zero.” It is best to view this as a fresh start from a stronger position that will ensure a company’s protected assets, reputation, and profitability have a solid foundation.
Implementing ZTA may seem like a daunting task, and it will require significant rethinking of processes for both Government and Industry; however, it is critical to ensuring the security of our data and assets. Now, more than ever, we need to be proactive in our approach to cybersecurity. In the first half of 2022 alone, more than 236 million ransomware attacks took place, showing just how vulnerable we are. By switching to the mindset of Zero Trust to constantly question a resource’s privileges and access, we can significantly reduce the risk of these attacks and create a more secure environment for our critical systems.