Insight by DUO Security

Adapting policies to address user needs in a zero trust framework

There has been a lot of discussion about zero trust over the last year or more. At a recent Senate hearing, Chris DeRusha, the federal chief information security officer, and Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), both mentioned the need to drive the adoption of these techniques and architectures.

DeRusha said OMB is leading agencies toward a zero trust paradigm. This means real-time authentication, user testing, blocking suspicious activities and preventing adversaries from network hopping that we’ve seen time and again in major attacks.

The key phrase that many overlook, however, is user testing.

Employees must be central to the zero trust and broader cybersecurity efforts.

Bryan Rosensteel, a cybersecurity architect for the public sector at Cisco’s Duo Security, said if cybersecurity tools make technology difficult to use, employees will not use them. And that will put agencies and organizations at a greater risk of a breach because they figure out a way to go around the cyber tools.

“We say ‘Well, what happens when you enact a strategy that embraces from a culture aspect?’ Well, the organization and the employees all in,” Rosensteel said on the discussion, Modern Authentication Strategies to Embrace Zero Trust, sponsored by Duo Security. “We’ve got to find a better system because our policies are built around very specific, very concrete use cases, and that flexibility just isn’t there. Now we’re seeing that change. We’re seeing a lot more flexibility coming in. I always tell people, ‘hey, the last few years in the federal identity community have been among the most exciting.’ We’re seeing so many different changes coming in, and a lot of the best practices that we’ve been screaming from the mountaintop for, for a while, coming directly into not only in guidance from NIST, but also in policy. We’re seeing everything moving in the right direction.”

Part of the reason for this movement is the pandemic, but also the understanding of the zero trust framework.

Rosensteel said the need to validate not just the people, but the devices and the data is driving this movement toward zero trust.

“Zero trust looks at the end user identity from an end entity, and an entity is different than just the person. An entity is kind of a more holistic view of identity. It’s all the different components that go into the authentication. It’s who I am from a digital identity perspective and that literally changes based upon the time and day, based upon even on the workstation. All of which can present very different security challenges,” he said. “With the rise of telework, which in many ways, is just here to stay permanently. It is forever shifted. Even the concept of issuing people a laptop and a phone is in question, right. The idea of fully managed devices for all of your endpoints is something you can no longer take that for granted. But you never really should, so maybe you still have managed devices, but you need to make sure that you have checks involved to make sure that only managed devices are actually authenticating.”

The concept authentication also is shifting under zero trust.

Rosensteel said agencies security and technology leaders are realizing the strength of the authenticator doesn’t equate to the strength of authentication.

He said the PIV and Common Access Cards only tells the agency that the employee has possession of the card and that’s the authenticator.

“I can’t really think of one authenticator by itself that is going to be able to tell us so much more that we need to know whether or not to validate that authentication. Instead, dynamic policy authentication engines are what are able to do that,” he said. “What we have to do is we have to enhance our current authenticators. But the other thing that this does is because we’re going to start putting in these policy enforcement and device discovery pieces within the workflow for authentication, some really interesting things come as a result. I always like an authentication to going over a bridge, and on the other side of the bridge is whatever it may be, maybe it’s a data lake, maybe it’s an application, whatever tasks that user needs to get to. Now to get to the bridge, they could have come from any different direction, and they could arrive at any different type of state to be able to do it, they still have to walk across that bridge and have to cross that bridge. So we can do as much discovery during that authentication workflow as possible, then we can get quality data as to what’s actually coming in.”

The journey toward a zero trust architecture is ongoing and includes many of the tools agencies use today, ranging from multi-factor authentication across all accounts to access controls tied to Active Directory.

“We have to validate not only that they are who they say they are through the use of strong authenticators, but we also have to make sure that the way in which they’re authenticating is something that is trustworthy,” he said.

User Involvement in Security

We've got a critical shortage of qualified individuals who have the understanding of all the different pieces of identity management, not just the actual technology itself, but the policy involved, and how that relates in the challenges in being able to implement that across all these spaces. So what that means is everyone just doing it on their own and their own solution. It's just not viable. We just don't have the qualified personnel to do it. That's why shared services, and that's why cloud service providers are so critical. When we say this look, we can centralize the kind of security and the personnel with the expertise, and then you can work with us and it will be easily deployed. And oh, by the way, because we're going to reduce a lot of that administrative overhead on you, you're not going have to worry about actually managing the data centers, you don't have to worry about all of the backend uplift, that frees up some of your administrators to be able to go off and work on other tasks.

Zero Trust

Zero trust looks at the end user identity from an end entity, and an entity is different than just the person. An entity is kind of a more holistic view of identity. It's all the different components that go into the authentication. It’s who I am from a digital identity perspective and that literally changes based upon the time and day, based upon even on the workstation. All of which can present very different security challenges.

Listen to the full show:

Featured speakers

  • Bryan Rosensteel

    Cyber Security Architect, Public Sector, Cisco

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts