If you’ve heard Federal Chief Information Officer Suzette Kent speak over the last six months, she undoubtedly mentioned the concept of a zero trust network pilot.
And if you’ve gone to almost any cybersecurity conference over the last six months, sometime during a panel discussion one of the participants certainly talked about how the future of cyber revolves around creating a zero trust network.
What rarely happens at these and so many other events is the discussion of what zero trust actually means. So let me help you out here.
Zero trust is not a new technology. It’s not a new tool. It’s more of a change of thinking about how to approach cybersecurity.
“Everyone has gotten sick of chasing the rabbit and continuing to fail,” said Dr. Chase Cunningham, a principal analyst at Forrester Research. “Obviously the current strategy many agencies were using wasn’t right so let’s take a step back and do what’s right in fixing the problem.”
That step back helped Forrester create a nine-step framework for agencies or any organization to follow.
“If you look at where you start, you can’t fix or fight what you don’t know is in existence. The breadth and depth of any infrastructure that you are trying to protect is so great that if don’t have a baseline how can you put in controls to fix it?” he said. “It’s nothing other than data and network security, but it’s the hardest part of the problem to solve. No one knows where their data is and what the value of that data is.”
A cyber umbrella for all initiatives
Basically, zero trust is an umbrella term that nearly every federal cyber initiative can fall under, but it requires a change of thinking to create a network that trusts no one and verifies everyone.
“The idea behind zero trust is to ensure that every use on any end point is verified,” said Greg Cranley, vice president of federal and public sector sales for Centrify. “You know the user, you know the device they are using and you know the access to the network they are allowed to have. If you do those three checkpoints, that allows you to take away a big part of the risk surface to any organization. When someone logs in, zero trust ensures that’s me and corroborates that it’s my device using a PKI certification verified by a certificate authority. Then any request that I make, whether it’s through a Salesforce platform or through another application, it checks with our active directory that I have the right to access that system or app.”
In many ways, the Office of Management and Budget began the move to zero trust soon after the data breach suffered by the Office of Personnel Management in 2015. Agencies were required to identify their high value data assets and increase protections around them. In fact, OMB released an updated policy for high value data assets on Dec. 10. While it didn’t mention zero trust, the idea of applying more rigor and focus on high value data assets fits right into this concept.
But it’s more than just knowing your data. Zero trust actually brings together many of the ongoing cyber initiatives across government.
And that’s where the CIO Council’s zero trust pilot comes in.
While details remain a bit fuzzy, government sources confirmed the pilot will focus on end points such as laptops or mobile devices, and redefine what the “corporate network” really means.
Sources say zero trust means retreating the network around an agency’s most valuable data because that’s really what any organization must protect.
The CIO Council is leading an effort to develop a common understanding of what zero trust architecture means. An interagency group which includes the National Institute of Standards and Technology, the departments of Justice, Interior, Education and Health and Human Services, GSA, the Federal Deposit Insurance Corporation, OMB and the Defense Information Systems Agency are developing the pilot and common understanding.
Sources say the CIO Council expects to start the zero trust pilot in spring or summer 2019.
From the pilot, sources say OMB and the Homeland Security Department also are considering developing policy or guidance for how agencies can implement the concept of zero trust.
In the meantime, Cunningham said interest in the zero trust network concept has steadily increased over the last two years. He said agencies from the National Oceanic and Atmospheric Administration to NASA to the DHS to the U.S. Cyber Command have reached out to Forrester to learn more about the framework.
“The reason why it’s become so popular is a combination in the federal space of technology and culture,” he said. “I think the technology caught up on the platform level where you can do a lot with a single vendor because of all capabilities tools now bring. And with the culture, everyone has gotten sick of chasing the rabbit and continuing to fail.”
Centrify’s Cranley said zero trust also has received more attention because agencies finally recognized the value of identity and access management.
“Identity has proven to be the major cause of almost all data breaches because if people can steal my identity, use it to log in and we are not checking to see if it’s really me, then we are making it too easy for the bad actors,” he said. “Zero trust is a granular way to make sure you are allowed only to see what you are allowed to see. It allows us to get granular even down to the day and time of day. It makes it more difficult to steal data because it’s something you have, something you know and then it add analytics on top of that.”