A Challenging Security Landscape
Over the past 20 years, cybersecurity strategies have primarily focused on protecting the network perimeter in a physically defined space. However, over the course of nearly two years, as the federal workforce retreated home and many traditional offices disappeared, this perimeter has been redefined. Now the network perimeter is everywhere: it’s the user’s house, a coffee shop, a co-working space, or the traditional office. As a result, federal cybersecurity strategies need to evolve as well.
To continue to secure the mission, federal agencies are identifying ways for security to dynamically follow their users, data, and applications since they are no longer anchored to centralized locations protected by static perimeter defense systems. Moving to the cloud has helped provide some options for agencies to move away from aging physical security infrastructure and take advantage of cloud-native security features that extend the security perimeter beyond the centralized office to the edge of remote work.
Implementing a Zero Trust Architecture (ZTA) allows for robust protections for the users, data, devices, networks, and applications regardless of their location. This is especially important for federal agencies as they face an asymmetric assault from legions of bad actors. While there’s been interest in a Zero Trust approach for several years, the Executive Order (EO) 14028, Improving the Nation’s Cybersecurity issued in May 2021 has been the catalyst of renewed focus on the importance of adopting Zero Trust.
The remainder of this article:
- Defines the core principles of Zero Trust using industry frameworks.
- Provides examples of strategies and methodologies agencies can use to prioritize their ZTA solutions; and
- Describes typical findings and recommendations for agencies to consider when implementing ZTA solutions
What is Zero Trust?
Zero Trust is an emerging security paradigm designed to protect agencies by establishing, enforcing, and continuously analyzing least privilege per-request access decisions in information systems. Organizations that implement ZTA require that all users and devices must continually prove they are trustworthy. Zero Trust is the ultimate expression of the philosophy “trust but verify,” and it fundamentally changes the way agencies are protected.
ZTA is the strategy to execute on the Zero Trust vision. Zero Trust Architecture is an agency’s cybersecurity plan that utilizes Zero Trust concepts to encompass the workflow planning, component relationships, and access policies based on a framework of tenets, pillars, and capabilities. Tenets are used to describe the principles of Zero Trust, pillars logically organize the tenets into functional areas, and the capabilities map solutions to the functional areas in each pillar.
- Tenets – The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207 describes Zero Trust tenets as a technology agnostic, ideal goal for Zero Trust adoption. An example of a tenet is “The enterprise monitors and measures the integrity and security posture of all owned and associated assets.”
- Pillars – Logically organizes the Zero Trust tenets into functional areas. For example, the Office of Management and Budget (OMB) Zero Trust model includes eight Zero Trust pillars that are described in Figure 1.
- Capabilities – Provides a more granular view of the functional capabilities within a pillar, and how that functional capability is used to provide coverage across the pillars. For example, OMB Zero Trust model Figure 2 provides a mapping of Zero Trust capabilities mapped to OMB’s Zero Trust capability model.
Figure 1: Office of Management and Budget (OMB) Zero Trust Pillars
Figure 2: Zero Trust Capability Model derived from OMB’s Zero Trust Security Principles
How to Begin Your Zero Trust Journey?
The Presidential Executive Order (EO) 14028, Improving the Nation’s Cybersecurity issued in May 2021 provides federal agencies with directives and timelines; however, it doesn’t prescribe the implementation methodology. The lack of prescriptive instructions is not a shortcoming of the EO; it’s an opportunity for agencies to tailor the execution to their mission needs.
The first phase to Zero Trust adoption is to baseline an agency’s current capabilities against an industry standard framework (i.e., Current Mode Operation). The second phase is to define a desired state of readiness based on near-term incremental improvements (i.e., Interim Mode of Operation). The third phase is to design a long-term roadmap that describes the desired state of completeness toward meeting all of the capabilities within the Zero Trust framework (i.e., Future Mode of Operation).
A summary of the three adoption phases, activities, and timelines are enumerated below. Figure 3 provides an illustration of the three phases broken down by the percentage of Zero Trust capabilities typically covered in each phase.
- Phase 1: Current Mode of Operation (CMO) – Complete a mapping of the agency’s currently implemented solutions to a Zero Trust capability model to determine what capabilities are currently covered and where there are coverage gaps. The CMO capability mapping exercise typically provides an executive-level overview using color coded visualizations that is used to describe the Zero Trust capabilities that are currently “Met,” “Partially Met,” and “Not Met.” The timeline required to complete the CMO mapping typically does not exceed two calendar months.
- Phase 2: Interim Mode of Operation (IMO) – Identify at least one IT modernization initiative that can be completed within the next 12 months and map the new capabilities to be implemented the Zero Trust capability model completed during the CMO phase. (i.e., show the improvement) For example, agencies migrating from the Trusted Internet Connection 2.0 (TIC 2.0) framework to TIC 3.0 map the new capabilities met by implementing Secure Access Service Edge (SASE) solutions to an updated version of the Zero Trust capability model.
- Phase 3: Future Mode of Operation (FMO) – Define a long-term roadmap that defines the agency’s ZTA strategy within a 3-5 year timeline. The target completion percentage for ZTA capability coverage should be one hundred percent (100%). This phase typically takes three to six months to complete, and is subject to iterative changes with the agency’s mission needs and budgetary cycles.
Figure 3: Three execution phases to a Zero Trust Architecture
Click here to read part two of this guide.
Wes Withrow is the Public Sector Solutions Executive at Verizon and a contributor to Government Technology Insider.