How to achieve the mindset change essential to zero trust
June 27, 20222:05 pm
5 min read
Zero trust is getting a lot of attention from federal agencies these days. President Biden’s May 2021 executive order mandated agencies begin implementing zero trust. Office of Management and Budget guidance published since then has expanded on that mandate.
But much of that guidance is highly technical and granular, focused on rapid milestones rather than the big picture, said Tom Van Meter, federal systems engineering director at Juniper Networks. As a result, many federal IT teams often still have a fundamental misunderstanding of what exactly zero trust is and is not, he said.
Making the mental shift to zero trust
Before zero trust, most organizations used a design architecture where there were multiple purpose-built devices on the perimeter: access control lists, firewalls, intrusion detection systems and web content filters. In that scenario, once someone is admitted inside the network, that user is trusted and therefore has complete access everywhere.
Part of zero trust is defining smaller perimeters, called microperimeters, around resources that share the same or similar authentication and authorization requirements, Van Meter said. The entire network then comprises multiple smaller microperimeters — with separate authentication and authorization required to access each microperimeter.
“Zero trust is basically a security posture that starts from the assumption that you have to treat everyone and everything on your network as already compromised, which means you have to validate security policies continuously throughout the network, not just at the edge of the network,” he said. “Zero trust architectures are enabled by design principles that make use of both macro and micro segmentation, creating opportunities for continuous authentication and fine-grained authorization at each stage. They continuously monitor and reassess conditions to enable an enterprisewide dynamic security policy. Zero trust eliminates the concept of implied trust and creates an environment in which security policies apply to subjects and assets around the enterprise, no matter where they might plug into the networks and no matter the devices they might use as they do so.”
Zero trust typically requires multifactor identification to provide the authentication and authorization. In the federal government, that’s typically something like a Common Access Card (CAC) or a Personal Identity Verification (PIV) Card — each of which has a pin known only to the user. The card provides the authentication while the pin authorizes access to the card. Only the authorized user knows the pin, so once the pin is validated, it provides identity verification.
Another way to think about authenticated and authorized access is a travel analogy involving the Transportation Security Administration at the airport, Van Meter said.
“If you want to get on a plane, you go to the TSA line. And when you get to the TSA line, you present government-issued photo identification, which authenticates who you are when they compare your face to the picture,” he said. “After you authenticate who you are, you then present your boarding pass to authorize passing the checkpoint. Once you pass authentication and authorization, you can get closer to your plane — the resource you are trying to access. The plane itself lives in a microperimeter. You present your photo ID and boarding pass again at the gate. Depending upon where you are, they may waive presenting photo ID a second time, but you still have to present it if they ask.”
The need for perimeter security never goes away. The TSA line represents the outer perimeter. Think of it as the macroperimeter, if you like. Then, you have further authentication and authorization checks at the microperimeter — to get to the plane.
Understanding your agency’s network traffic
Van Meter said the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostic and Mitigation program established security baseline measures across civilian federal agencies. And he said the zero trust executive order and subsequent OMB memo have done the same thing, as far as mandating specific actions agencies must take related to each of the five pillars of CISA’s Zero Trust Maturity Model.
For example, for the identity pillar, agencies have to implement multifactor authentication, device level authorization and enterprise identity management. They also need to work with CISA on endpoint detection and response.
“There’s this long list of things that the agencies have to do. But the other thing that they will need to do is get a strong understanding of the sessions that make up their network traffic,” Van Meter said. “What they need to do is find a way to categorize the types of resources and the user characteristics of who or what device gets access to those resources to create the policy rules at the microperimeter. And that’s tough, because if you’ve got a production network, you’re running fast.”
Agencies need to figure out what’s going on in their networks without impacting their production environment, he said, and there are projects on GitHub that can give them a head start on doing that. They pre-process session logs, deliver deduplicated session information and include user identification. This information allows agencies to make quick and easy decisions about what’s important in their networks without impacting production traffic.
“Agencies need to first answer all the specified tasks that are in the OMB memorandum,” he said. “And then in addition to that, they have to understand what traffic is on their network so that they can figure out who’s trying to go where, which allows creating microperimeters with identity-based authentication and authorization access rules implemented on next-generation L7 firewalls.”