By Dr. Darren Death, Vice President of Information Security, Chief Information Security Officer, ASRC Federal
Recently, the White House proposed new standardized cybersecurity requirements for government contractors. This is on the heels of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model 2.0 and other recent frameworks that call for the development, implementation and enforcement of U.S. cybersecurity policies.
Federal agency roadmaps such as the CISA’s Zero Trust Maturity Model, the Department of Defense Zero Trust Strategy and Roadmap and NIST’s Zero Trust Architecture underscore the urgent need to evolve U.S. cybersecurity digital architecture.
Agencies and their private sector partners are uniquely positioned to work together to carry out these new technical architecture and organizational culture requirements and advise on solutions that will ultimately strengthen our nation’s security.
Keeping up with this changing cybersecurity landscape can be daunting, so I am excited to announce that I am launching a series of LinkedIn articles to help cybersecurity, information technology, and program managers navigate our cyber landscape called Securing the Digital Frontier.
To kick off this series, I am starting with Zero Trust, a significant thought shift in cybersecurity architecture. Zero Trust takes many technologies that support a competent cybersecurity architecture before Zero Trust was a topic of discussion and part of a presidential executive order and adds many new features, allowing an organization to secure high-value data assets between presenting applications and data consumers.
Government agencies and private sector organizations have been actively discussing and adopting the concept of Zero Trust as part of the enterprise digital infrastructures. A threat actor’s primary motivation to attack an organization is the sensitive data that an organization may possess. Data and secure access to data are key concepts that zero trust serves to offer a blueprint. Any organization must consider CISA’s Pillars when building a Zero Trust architecture. The five pillars in CISA’s Zero Trust Maturity Model – Identity, Devices, Networks, Applications and Workloads, and Data – serve as a roadmap for agencies to reference as they transition to a Zero Trust architecture.
Identity: An identity is an attribute or set of attributes that describes a user or entity accessing a system. Organizations should ensure and enforce access to the right resources at the right time for the right purpose without over-granting access. To enforce strong authentication, provide context-based authorization, and evaluate identity risk for users and entities, organizations should integrate identity, credential, and access management solutions across their enterprise whenever possible.
Key Takeaways for Identity
- Implement robust authentication methods.
- Provide context-based authorization.
- Implement Multi-Factor Authentication.
- Utilize Privileged Access Management (PAM) Systems.
- Deploy Anomaly Detection Tools.
Devices: A device is any network-connected asset, such as servers, desktops, laptops, printers, mobile phones, IoT devices, networking equipment, etc. To protect organizations’ or agencies’ resources, IT teams must secure all devices, manage risks from unauthorized devices, and prevent unauthorized access. The evolving technological landscape makes this task difficult and requires teams to constantly reassess the threats associated with adding devices to their enterprise.
Key Takeaways for Devices
- Implement effective cyber hygiene for all assets, including servers, laptops, and IoT devices.
- Adopt comprehensive inventory discovery and tracking for devices.
- Manage risks from unauthorized devices.
- Prevent access from non-compliant devices.
- Reassess threats with each new device addition and access to data.
Networks: An organization’s network includes communication channels like internal networks, wireless networks, the Internet, and other potential channels like cellular and application-level channels for message transport. By implementing Zero Trust controls closer to applications, data, and resources, networks can better manage traffic flows, isolate hosts, enforce encryption, segment activity, and improve enterprise-wide network visibility.
Key Takeaways for Networks
- Position Zero Trust controls near applications, data, and resources.
- Manage traffic flows and isolate hosts utilizing tools that support micro-segmentation and mico perimeters.
- Adopt strong cryptographic algorithms and enforce encryption.
- Improve network visibility utilizing continuous network traffic analysis.
Applications and Workloads: Organizational information systems, computer programs, and services that run on-premises, mobile devices, and in the cloud make up platforms that must be managed and secured by agencies. Implementing granular access restrictions and integrated threat safeguards can improve situational awareness and reduce application-specific threats. Adopting best practices like DevSecOps and implementing an application security program that provides guidance, training, and tools to developers on secure development practices is a good step in ensuring applications have adequate security.
Key Takeaways for Applications and Workloads
- Manage and secure systems running on various platforms.
- Implement and monitor granular access restrictions.
- Utilize Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Penetration testing.
- Adopt best practices such as DevSecOps.
- Provide guidance, training, and tools to developers on secure development practices.
Data: Information systems, devices, networks, applications, databases, and infrastructure encompass the many areas where data may reside digitally within your organization. Organizations should inventory, categorize, and label data. Take a triage approach to prioritize the data you will focus on first. It is unrealistic to simply “zero trust” your organization. To ensure mission continuity, your zero trust architecture must include the mission context of the data you are protecting. As you move data assets into your zero trust architecture, re-triage your data to determine new data assets that should be identified for migration and protection. Teams should create governance policies and leverage artificial intelligence and machine learning technologies to help monitor and automate processes.
Key Takeaways for Data
- Inventory, categorize, and label data throughout the organization.
- Triage data across your organization, focusing first on high-value and sensitive data assets.
- Reassess data to determine new data assets that should be identified for migration and protection periodically.
- Enable encryption for data in use, rest, and transit.
- Develop governance policies for data security.
- Use artificial intelligence and machine learning for monitoring.
- Automate data discovery and utilize Data Loss Prevention technologies.
No single tool or partner will be a silver bullet for putting zero trust controls in place. Also, the tools you have today may align with a zero trust approach to security. Implementing zero trust does not necessarily mean changing the products and capabilities you operate today. As Zero Trust is an architecture and not a product, you may already use tools aligned with your zero trust goals. Understanding these pillars and concepts is critical to establishing a zero trust roadmap leading to a zero trust architecture that can adequately protect organizational data, ultimately protecting our nation’s security.