Zero trust has quickly become central to the cybersecurity strategies of federal agencies. Not an end in and of itself, zero trust gives the best route to the real goal of mission assurance. Mission assurance means always-available applications – no shutdowns or interruptions – consistent with protection against data theft and unauthorized access.

That goal requires imposition of zero trust not just to infrastructure hardware but also to applications, application interconnections and dependencies, and to data sources.

“The way I look at it, from a CIO’s perspective, is to make sure that the IT services are there for our staff members,” said David Bottom, the chief information officer of the Securities and Exchange Commission, “for them to be able to execute their missions, when they need to and where they need to. That’s the way we look at admission assurance.”

Bottom, speaking on a Federal News Network webinar, said his group focuses on the inventory of IT services within the agency. Having a complete picture lets the staff set priorities for installing protections with the most leverage in boosting mission assurance. The SEC’s long running EDGAR portal for company data exemplifies what Bottom called a primary mission essential function.

For NASA, data and data protection get a lot of attention, said Mark Stanley, enterprise cybersecurity architect. He said NASA has an immense range of missions and programs, all driven by data.

“We have to make sure that the integrity of the data, the availability of the data are there when those astronauts need it, when those engineers and those analysts need it, to be able to affect change,” Stanley said. He said NASA has a statutory obligation to share its research data publicly, which makes data assurance and availability all the more important.

When push comes to shove

The main question in a zero trust strategy, said Gary Barlet, the federal chief technology officer at Illumio: “How do you succeed in the face of something going wrong? When all the systems are operation, operating nominally, that’s great. But what about when things are under attack?”

Cybersecurity mechanisms must not only alert to and mitigate attacks, Barlet said, but must also help keep systems running, whether internal or deployed to the public.

“NASA can’t just turn things off in the middle of a launch,” Barlet said. Tech staffs “can’t just suddenly say, ‘Oh, well, we’ve got a little bit of a cyber attack. We’ll just turn everything off and pause until we can get back to it.’”

Therefore, a set-and-forget approach won’t keep systems out of trouble, panelists agreed.

“Mission assurance is not a static exercise,” Bottom said. “Expectations and requirements are always changing. They need to be factored into the planning that we do.” He said the SEC regularly runs exercises and rehearsals that incorporate lessons learned.

“We’re constantly updating our policies and processes, and exercising them,” Bottom said.

A well architected zero trust setup should also limit the scope of what a hacker can do, should someone or some thing manage to breach the protections in place. Stanley used ransomware as an example, in which hackers remove or encrypt data and demand money to restore it.

“One of the key tenants of zero trust is this ability to limit the blast radius,” Stanley said. “So if someone trying to execute a malware attack [is] able to compromise my account, under a zero trust, lease privilege scenario, they would only be able to implement against those things that I have access to and nothing more.” Zero trust, he added, “eliminates movement laterally across the network.”

Stanley said NASA is well along in efforts to establish zero trust. The agency has a portfolio of zero trust projects, including one to formalize the architecture. Particular areas of focus include multifactor authentication, and encryption of data both in transit and at rest.

The SEC is similarly in the phase of implementing detailed zero trust plans that meet the requirements of White House executive orders and guidance from the Cybersecurity and Infrastructure Security Agency (CISA). Of the SEC’s architecture and approach, Bottom said, “I’m sure it’ll be constantly updated as we learn new things.” He said it does take into account the five pillars of the CISA zero trust maturity model, namely identities, devices, the network environment, applications and data

Barlet underscored the idea that zero trust is not a static state but rather an ongoing process.

“There will never be an end of the zero trust journey,” Barlet said. “There’s never an end to the threats you face. So therefore, the journey of zero trust, which is to defend and recover from those threats, will never end.”

Seeing, then doing

Crucial to that never-ending journey: “Having good strong visibility across your enterprise,” Barlet said. The word enterprise is critical. It means visibility not just of infrastructure elements, where agencies have traditionally installed perimeter defenses. Visibility extends to applications, data and the way they interact among one another.

“Applications have inner connectivity to which agencies are often blind,” Barlet said. To secure the CISA-named five pillars of zero trust, agencies “first need to understand what’s going on in their enterprise and how things are actually interconnected.”

In fact, Bottom said, zero trust work has caused the SEC to revise what it considers infrastructure. A decade ago, he said, it meant primarily hardware. Now, “one of the things that we’re working hard at is to treat infrastructure as software.” That’s essentially what cloud services providers offer – infrastructure in the form of software services that change far more quickly than hardware infrastructure elements.

Infrastructure as software “actually goes back to something even more fundamental,” Stanley said. “It’s getting away from the former way in which we constructed networks. We’re now moving into true data centric models for computing.” On-premises hardware, in fact, makes for technical debt often accompanied by increasing cybersecurity vulnerability.

As software, networks change constantly as agencies create and remove virtual machines and otherwise reconfigure things.

“Any zero trust kind of model or architecture has got to be able to adapt to all those rapid changes,” Barlet said.

Panelists noted that the zero trust regime must also extend to user devices, not just users, and to sensors and internet-of-things devices that interact with the network.

Stanley said NASA systems constantly monitor device activity, looking for anomalies that can change the level of confidence in a particular access attempt.

“The beauty behind zero trust is that it’s monitoring that activity in real time, and it’s adjusting those scores in real time. Is it going to put a bit of a burden on cybersecurity? Yes, it is.”

Zero trust also should spread into new application development, into DecSecOps shops, taking into account their incorporation of open source code into whatever they’re developing.

“The reality in code development today,” Barlet said, “is nobody’s writing every single line of code by themselves anymore. They’re downloading modules. They’re using open source code.” All these pieces of software have dependencies and interconnections the agency needs to be aware of and incorporate into the zero trust scheme.

“You need an objective look at not what people think is going on, but rather at what is actually going on,” Barlet said. “You need to see real time, those interconnections and that traffic flowing.” He added, when Illumio shows a client these dependencies and interconnections, “they’re usually so divergent that they have a heart attack, to be honest with you.”

Learning objectives:

• Mission assurance overview
• Zero trust benefits
• Strategies for zero trust, mission assurance and resilience

Complimentary Registration
Please register using the form on this page or call (202) 895-5023.