As federal agencies move to improve their cybersecurity practices under the banner of zero trust, improving visibility across federal networks becomes essential.
It’s right there in the Federal Zero Trust Strategy: “As agencies broadly encrypt traffic, it will be critical to balance the depth of their network monitoring against the risks of weak or compromised network inspection devices. Inspecting and analyzing logged network traffic is an important tenet of zero trust architecture.”
But what needs to be protected in a zero trust world? The data. A core concept of zero trust is using a “highly data-centric” approach to security, said Ian Farquhar, the security chief technology officer at Gigamon.
“That means that we need to be able to apply controls on the basis of data,” Farquhar said during Federal News Network’s Cyber Leaders Exchange 2023.
Gaining visibility into data in transit
In its zero trust strategy, the Office of Management and Budget directs agencies to encrypt their network traffic to protect data while also ensuring they can monitor the attack surface comprising all the devices and services that could be exploited to compromise that data.
It warns agencies to avoid relying on “static cryptographic keys with an overly broad ability to decrypt enterprisewide traffic.” Instead, agencies should use newer versions of standard encryption protocols, such as the latest versions of Transport Layer Security (TLS) protocols.
“More generally, agencies should plan for cryptographic agility in their network architectures, in anticipation of continuing to adopt newer versions of TLS and other baseline encryption protocols,” the strategy states.
And while that can be done on management endpoints with solutions geared toward those devices and environments, Farquhar said, agencies have other devices that can’t leverage those same tools, such as mainframes, Internet of Things devices like photocopiers and even industrial control systems.
“We need to be able to deal with data on these devices, therefore, we need to be able to look at this data in transit,” he said.
That function often falls on TLS inspection tools, which as the federal zero trust strategy and the National Security Agency alike both warn, should be managed for risks as well.
‘No perfect solution’ to TLS inspection
Farquhar said industry generally now believes that “there is no perfect solution, there is no one-size-fits-all solution” for TLS inspection.
“What we need to do is deploy the best solution for our specific needs — be that break and inspect or break, inspect and fix; be that other approaches that are done closer to the endpoint; be that the server or the client — and you choose the best one for what you need,” he said.
Agencies are adopting many different cybersecurity tools to implement the facets of their zero trust strategies. But Farquhar points out that any component, whether it be a firewall, an email security gateway or some other element, can be exploited. Because of that reality, agencies must therefore also inspect the network traffic for anomalies and potential nefarious activity. That’s the critical visibility factor, he said.
“That’s how you detect compromised controls, compromised appliances, compromised firewalls — all of this stuff,” Farquhar said. “Look at the traffic because that’s where the truth is.”