The past two years have catalyzed a fundamental shift in the way that government organizations need to think about security. COVID-19 introduced the need to securely enable remote work, an ongoing ransomware epidemic shows no signs of slowing down, and the Russian-Ukrainian conflict has stoked concerns of nation state attacks.
The Defense Department has thousands of networks, each with thousands of connected devices and connected systems, collectively referred to as the DoD Information Network (DoDIN). Knowing all of the IT assets on the DoDIN has always been a challenge.
Furthermore, the number of non-traditional assets, such as Internet of Things and operational technology, closely number the volume of traditional IT assets, adding a new layer of complexity to gaining visibility — much less managing the security — of all the assets connected to the country’s most sensitive network of networks. Case in point: research from Forescout’s Vedere Labs reveals that government organizations have the highest percentage of devices with medium or high risk.
If there is a silver lining, it is that zero trust security has reached mainstream awareness, but the reality is that there is still a ways to go before we reach widespread adoption. Although the journey toward zero trust can be complex, there are already several guidelines in place to serve as a roadmap, such as National Institute of Standards and Technology’s document, Draft NIST Special Publication (SP) 800-207: Zero Trust Architecture and the DoD Comply-to-Connect (C2C) program. The concepts of comprehensive visibility and continuous monitoring are important to achieving zero trust.
Moving beyond a broad stroke network-centric security system, zero trust provides a framework to allow organizations to limit access to data resources by assessing user-resource connection requests in the most granular way possible. Zero trust is not any one security solution, but rather a combination of proven security principles that bridge traditional gaps and enable the creation of contextual policy that gets enforced at multiple levels. Of course, there are innovative solutions to help accelerate this journey.
NIST SP 800-207, today’s primary source of zero trust authority, outlines seven steps for introducing zero trust to a perimeter-based architected network:
Identify actors on the enterprise.
Identify assets owned by the enterprise.
Identify key processes and evaluate risk associated with executing them.
Formulate policies for the zero trust architecture candidate policy enforcement point (PEP).
Identify candidate PEP solutions.
Begin deployment monitoring.
Expand the zero trust architecture.
From this list it should be apparent that visibility and monitoring are prerequisites to DoD’s zero trust’s “never trust, always verify” authentication and compliance policies.
C2C as the foundation for DoD’s zero trust journey
One of the largest government cybersecurity initiatives in the world, the DoD C2C, is the next major step forward in security across the DoDIN at both the non-classified and classified levels. A major difference between C2C and previous security programs is that C2C seeks visibility of all assets (both traditional and non-traditional). Full visibility is just the tip of the iceberg in the ways that C2C lays the foundation for the DoD’s zero trust journey.
The DoD launched C2C to efficiently enhance its cybersecurity posture across the enterprise. C2C, which leverages zero trust’s least privilege principles to protect access to data resources and assets, provides the foundation of the DoD’s zero trust journey through its two primary goals:
C2C fills existing capability gaps in currently fielded enterprise security solutions through complete device identification, device and user authentication, and security compliance assessment.
C2C automates routine security administrative functions, remediation of noncompliant devices and incident response through the integration of multiple management and security products and continuous monitoring. Whereas other enterprise security solutions focus on a subset of DoDIN-connected devices, C2C applies to all categories of DoDIN-connected devices: workstations/servers, mobile devices, user peripherals, Cyber-Physical Systems and Control Systems (CPS/CS), IoT devices, and network infrastructure devices.
Most significantly, DoD’s C2C policy enables teams to authenticate the security posture for the endpoint of each resource before granting access to the network. This ensures all devices are assessed to determine compatibility with enterprise policy. In accordance with zero trust, systems and devices are, then, only granted access to appropriate network segments.
Further, all connected devices are continually monitored with the capability to address any cyber-related deviations through automated action within the C2C framework. When combined with zero trust principles, the C2C policy engine ensures both the user and their device meet defined access requirements and have the necessary cyber hygiene to allow trusted and compliant access to enterprise resources.
From zero to zero trust: The importance of visibility and monitoring
Whether a government organization is just getting started with zero trust or has achieved some level of maturity, visibility and monitoring are crucial to its success. Just as NIST SP 800-207 and C2C are the foundations of a zero trust roadmap, visibility and monitoring are a high priority to both NIST SP 800-207 and C2C.
For government organizations, visibility enables the comprehensive discovery of assets required as a prerequisite for zero trust. For organizations that have already begun their zero trust deployment, visibility delivers the monitoring required to enforce granular policy. In either case, network monitoring solutions can help discover these assets and monitor their behavior.
Melissa Trace is vice president for global government at Forescout.