Agencies have been saying for months now that zero trust is the answer to the problems COVID-19 has imposed on their networks. Now, as they begin to launch pilots, they’re finding out just how closely linked it is with other long-term efforts like identity, credential, and access management (ICAM) and bring-your-own-device (BYOD).
Innovations in one enable progress in all three, while complications tend to rear their heads across the board. And COVID is pushing them all rapidly from the theoretical space into practical implementation.
For example, Patrick Dedham — deputy to the commander, senior technical director, and chief engineer of the Army’s Network Enterprise Technology Command — said he realized shortly after the pandemic began that the Army’s end-state needed to be zero trust, and that it would need to begin slowly divesting from its perimeter security as that began to ramp up.
“So our work, our strategy for zero trust quickly became implement, implement, implement,” Dedham said during an Oct. 8 AFCEA virtual event. “We’re doing a proof of concept into our office 365 impact level five private cloud that we’re standing up at the same time, on how to access those resources from non-government furnished equipment, and government furnished equipment that’s not connected directly to the network via VPN. So zero trust, I’d say that would fit into a resource portal-based deployment model in accordance with the new NIST guide.”
Meanwhile, the Navy was already working on identity management to help remediate audit issues in its financial systems. That gave it a leg up on implementing zero trust and BYOD pilots, both of which ironically require a significant amount of trust from both sides to implement efficiently, according to Chris Cleary, the Navy Department’s chief information security officer.
On the one hand, employees can be wary about using their personal devices for work, out of concerns of the government remote installing software on their system without telling them. Some, Cleary said, even fear having the archetypal men in black show up at their door to confiscate their devices — or potentially even charge them with a crime — due to some mistake with classified materials.
On the other hand, government has to trust employees to follow certain rules and not abuse their access to such materials without resorting to ghost IT or other Big Brother-esque methods of monitoring employees actions.
Consider, for example, Cleary’s scenario involving commercial virtual remote, the Defense Department’s Microsoft Teams implementation.
“When you bring a CVR environment onto your personal machine, I can take a document and pull it off CVR, drop it on my desktop. So that is a concern,” he said. “But it’s one of those things that I think we’re going to have to acknowledge that this is the new normal, and how do we work with those things, instead of always trying to control them?”
Sean Connelly, Trusted Internet Connection program manager at the Cybersecurity and Infrastructure Security Agency, said that in some cases, the interactions between zero trust, ICAM and BYOD are causing people to entirely rethink some of these concepts. For example, he said he’d interacted with a few agencies that had relatively weak BYOD policies, but strong policies around virtual private networks and virtual machines being used on home computers.
“BYOD may not just be bringing your phone on to the agencies network, they could also be pushing the agency’s network out onto the user’s computer itself. It sort of flipped some mentalities internally at some of the agencies about what that BYOD means,” Connelly said. “Maybe it’s more BYON: Bring your own network. I think that changes the perspective a little bit.”
As the nature of devices becomes more ephemeral, Connelly said, firmware and operating systems may not be as important to a BYOD strategy anymore. And that goes hand-in-hand with zero trust, because the network and the endpoints are always suspect. The access becomes about the user, the data and the applications themselves, not the government furnished equipment.
That’s why the Defense Information Systems Agency is focusing on various methods to authenticate a user’s identity, according to Brandon Iske, chief engineer for the security enablers portfolio at DISA.
“The three pillars I look at that from are either I have credentials stored securely on the device, off the device, or I’m using some alternative multifactor,” Iske said. “And so from those three different pillars, you kind of see different BYOD pilots, some of them being a VMI — virtual mobile infrastructure. So think of that like a remote session to a virtual mobile device that would be hosted on prem. So we’re looking at that from both a bring-your-own-device as well as a government-furnished multiclass environment, as well as ‘I just need to access Outlook Web Access or other capabilities — can I use my CAC on a personal machine? Or can I get drive credentials issued to it? Or can I use an external form factor like a USB token with drive credentials?’ So those are the three kind of different ways that we’re looking at it and supporting that from an enterprise perspective.”