How agencies should implement a zero trust architecture – MeriTalk


With the release this year of a major strategic policy on cybersecurity, the White House is sending a clear message to the agencies: we must move forward towards the implementation of a government-wide Zero Trust Architecture (ZTA) – and quickly.

The draft Federal Zero Trust Strategy supports the Executive Decree on Improving the Nation’s Cybersecurity by clarifying ZTA priorities, identifying needed outcomes and defining basic policies / technical requirements for agencies .

As defined by the Zero Trust Reference Architecture released by the Department of Defense (DoD) earlier this year, agencies with an effective ZTA enforce rules and controls so that “no actor, system, network or service operating outside or inside the security perimeter cannot be trusted. Instead, (agencies) should verify anything that attempts to establish access. This is a radical paradigm shift in the philosophy of how we secure our infrastructure, networks and data, from single perimeter verification to ongoing verification of every user, device, application and transaction.

Fortunately, this transition is on track: four of five federal IT decision-makers and other government leaders and technology executives say they include or define zero trust in their cybersecurity strategy. But only 55% are “very” confident in their agency’s ability to adhere to a zero trust framework.

To boost that trust, hopefully, the White House strategy calls for agencies to achieve five goals by the end of fiscal 2024. All five are closely aligned with the five pillars of the zero trust maturity model. released by the Cybersecurity and Infrastructure Security Agency (CISA) in June. Here are the goals, along with our recommended best practices for implementing them:

1) The implementation of a single sign-on (SSO) service for users that is integrated with common applications and platforms, as well as application-level multi-factor authentication (MFA) with the Single sign-on of the company where possible.

Good implementation practices: The government has widely adopted AMF, such as the DoD’s Common Access Card (CAC) and Personal Identity Verification (PIV), but not all systems can support these checks. It is essential to have a variety of authentication techniques that can be applied across the wide range of government applications. This suggests that agencies should prioritize systems based on mission criticality, sensitivity, and likelihood of breach, and seek to prioritize AMF for those systems deemed most critical, and then work from there.

In addition, agencies cannot neglect privileged access management (PAM) in this context. Although PAM is not covered in depth in the strategy, 74% of IT decision makers whose organizations were violated indicate that the incident was related to access to a privileged account. Therefore, agencies need to establish effective and proven PAM controls.

2) Completion of an inventory of every device used and licensed for government use, with the ability to detect and respond to incidents on those devices.

Good implementation practices: Security teams should ensure that every device is covered, including Internet of Things (IoT), Operational Technology (OT), and Cyber ​​Physical System (CPS) devices. A comprehensive ZTA plan will integrate all of these elements into a surveillance, detection and protection program.

To increase threat hunting efficiency with government-wide endpoint detection and response, data collected on endpoints must be correlated, enriched, analyzed and processed in a timely manner. Security orchestration, automation, and analytics are essential to achieving these goals.

3) Encryption of all DNS requests and HTTP traffic, and segmentation of networks around their applications.

Good implementation practices: The continued use of shared services such as CISA’s protective DNS allows agencies to focus their efforts on other more difficult aspects of the zero trust strategy, particularly application segmentation. The policy states that agencies should run each separate application in its own separate network environment. “Multiple applications can rely on specific shared services for security or other purposes,” he says, “but should not depend on being co-located within a network with those services. and should be prepared to create secure connections between them over untrusted networks. “

Using software-defined and security-defined networks to create these micro-perimeters provides the speed, flexibility, and scalability needed to create these zero-trust network segments. Segmentation can be applied using a variety of techniques applied at the network, application, user, or data layer level. Therefore, it is essential to first understand the use cases and requirements before implementation.

4) Treating all applications as connected to the Internet while regularly subjecting these tools to rigorous testing and external vulnerability reports.

Good implementation practices: This represents a major change for the government – the acceptance and even adoption of a perimeter-less architecture in which all applications (including those regulated by the Federal Information Security Modernization Act) are connected to the Internet. Although the strategy states that agencies should “create a minimum viable surveillance infrastructure and policy enforcement to allow safe Internet access,” it does not offer many details on how to achieve this. . Security teams will need to determine what level of monitoring and controls (firewall, packet capture, network discovery response, etc.) will effectively enforce the security standards required for these applications. The recent breaches caused by SolarWinds and Microsoft Exchange highlight the need to improve the software supply chain and application security capabilities, especially by performing continuous analysis and monitoring.

5) Deploying protections that use deep data categorization and access monitoring, and implementing enterprise-wide logging and information sharing.

Good implementation practices: This goal describes the automation of security monitoring and enforcement – or security orchestration, automation and response (SOAR) – as a “practical necessity.” But agencies will be doing themselves a disservice if they deploy SOAR just to meet data goals. They should deploy SOAR throughout their IT environment as part of their ZTA program and ensure SOAR plays a leading role in achieving the five goals summarized here. In the process, agencies will benefit from a wealth of actionable information to enrich their cybersecurity posture across the enterprise.

It is very encouraging to see the administration calling for a comprehensive strategy. Security managers and their teams increasingly recognize that zero trust brings a level of vigilant oversight and control that modern times demand. However, agencies need to carefully consider what is needed in terms of resources and execution to sufficiently meet each objective – and even go beyond what is “on paper” in the strategy to include SOAR, PAM and additional measures – to better protect oneself for the moment and the indefinite future.

Leave A Reply

Your email address will not be published.