An analysis by Bloomberg Government from last summer showed agencies have spent only $500,000 on zero trust architecture tools and services since fiscal 2017.
To be clear, that research only looked for specific mentions of what has become a buzzword mentioned at every conference and vendor white paper over the last two years.
BGov readily acknowledges that there are hundreds of millions, if not billions, of dollars spent on components that would go into a zero trust architecture.
The evidence of that spending and push toward modernizing the federal approach to cybersecurity seems to be everywhere, especially over the past year as agency chief information officers and others have realized the value and potential of changing their approach to network defenses. The COVID-19 pandemic reminded and reinforced the power of identity and access management as a key piece to defend against cyber attacks.
Insight by Menlo Security: Learn about the Justice Department's initiatives and strategies around cybersecurity in this free webinar.
The National Institute of Standards and Technology is reviewing concept papers for how to implement a zero trust architecture across six scenarios.
“This project will focus primarily on access to enterprise resources. More specifically, the focus will be on behaviors of enterprise employees, contractors and guests accessing enterprise resources while connected from the corporate (or enterprise headquarters) network, a branch office, or the public internet,” NIST’s National Cybersecurity Center of Excellence wrote in the project description. “Access requests can occur over both the enterprise-owned part of the infrastructure as well as the public/non-enterprise-owned part of the infrastructure. This requires that all access requests be secure, authorized, and verified before access is enforced, regardless of where the request is initiated or where the resources are located.”
NIST said based on its review of the white papers, it plans to issue a cooperative research and development agreement (CRADA) to demonstrate different approaches to zero trust.
The Department of Homeland Security and the National Security Agency are among two of the agencies on the leading edge to do more than test these concepts.
Beth Cappello, the DHS deputy CIO, said the agency is using its target architecture initiative, which sets a common technology baseline to let programs adopt new technologies quickly, to implement zero trust components.
“By rapidly implementing IT and security improvements to reduce risk, it will help the Office of the CIO address the remote work posture of our employees. Components have been able to take our target zero trust architecture and quickly customize or tailor it to field similar capabilities within their respective environments,” Cappello said at the recent MicroStrategy World 2021 conference on Feb. 4. “From a technology perspective, the zero trust architecture approach allow us to ensure we have a dynamic, on-demand chain of trust that is continually reassessed at each access point. Frankly, in our continued remote environment, this is incredibly important.”
Homeland Security’s approach to zero trust is all about reusable architecture guides that are focused on user needs and developed with the components in mind.
Cappello said policy templates, pattern libraries and reference implementations also help to ensure DHS is implementing zero trust concepts in a standard way. The DHS zero trust action group which is made up of experts from across the agency is leading the coordinating, developing and sharing of these documents and individual experiences.
“Thus far, we have fielded seven zero trust use cases to enhance access to IT assets and systems,” she said. “These use cases augment security while also reducing the load on our VPN connection points. This zero trust architecture approach also increases our network performance by leveraging a cloud access security broker and cloud security gateway capabilities to give users secure, direct access to cloud managed applications thereby reducing traffic on that Homeland Security enterprise network.”
NSA is taking a similar approach as DHS, providing policies and reusable components as part of its zero trust approach.
Timothy Clyde, the lead systems engineer for NSA’s external identity solutions and service offerings, said at the recent SailPoint Evolution of Identity conference that the agency launched a zero trust pilot just over a year ago with the goal of figuring out how to get users the data they need when they need it no matter the current set of policies and rules.
“What is the level of trust that needs to go with that identity?” Clyde asked. “Depending on what the level of trust is that needs to be with that identity, comes the governance above that identity. We’ve used policy engines. We tag our data and have been doing it successfully now for well over a decade. Some people would argue once you have a solid identity for the person, the device and the data, the policy then becomes probably the most important piece of it. It does need to be dynamic enough, that depending on the environment, you may have two policies that are almost identical. But if you are in ‘Environment A,’ you may have access, but if you are in ‘Environment B,’ you may not.”
Clyde said the initial phase and roll out of the zero trust pilot includes a lab to test technology components for DoD partners and NSA also is making its policy engines available for others to use in their environments.
Neal Ziring, the technical director for NSA’s Cybersecurity directorate, said the agencies can use policy engines to underpin the process to decide who is granted access to information. He said the policy is at the heart of access control.
“Policy administrators create the rules that allow (or not allow) people and systems to access data. In a zero trust architecture, when a user makes a request to access data, the request is sent to a policy information point (PIP). The PIP provides the user information (such as attributes, clearance level, where they are located, etc.) to a policy decision point (PDP). The PDP analyzes this information along with additional policy rules regarding who can access that data, and determines if that user on that device is allowed to access that data. The PDP then delivers this decision to a policy enforcement point (PEP) who is the final authority on whether or not that user or device gets access to that data and either allows or disallows access,” Ziring said in an email to Federal News Network. “These PIP, PDP and PEP sub processes, when combined, are commonly referred to as the zero trust policy engine.”
The zero trust pilot is a joint effort amongst U.S. Cyber Command, the Defense Information Systems Agency and NSA — where they are researching, developing, piloting and lab testing technologies.
“The team has been able to demonstrate the effectiveness of zero trust at preventing, detecting, responding and recovering from cyberattacks,” Ziring said. “NSA is part of the joint team developing the DoD zero trust reference architecture. NSA is developing zero trust best practices and guidance to share with a broader set of US critical network owners, such as National Security System owners. NSA is working with the DoD CIO and DISA to update any existing cybersecurity policies as applicable to include zero trust principles to ensure that all of DoD is synchronized on zero trust, and implements zero trust in a secure and standard way across the department to protect critical information.”
He added the DoDwide working group is partnering with NIST to ensure the guidance on zero trust are in alignment across government.
Under the pilot, NSA and U.S. Cyber Command established an unclassified lab at DreamPort, a public-private innovation partnership that hosts zero trust equipment and simulates customer environments where they test diverse configurations of zero trust implementations.
Ziring said it also serves as a location to hold unclassified discussions with zero trust stakeholders, such as government customers and vendors.
“The ability to engage with our stakeholders at the lowest possible classification level allows for broader engagements across the community and an increased understanding of cybersecurity as it evolves,” he said. “We have a separate testbed with DISA that will host any anticipated classified information.”