4 steps towards zero trust maturity – without starting from scratch – GCN

INDUSTRY OVERVIEW

4 steps to zero trust maturity – without starting from square one

• By Michael Epley
• Sep 27, 2021

President Joe Biden’s May 12 executive order on improving the nation’s cybersecurity called on the federal government to move towards a zero-trust cybersecurity architecture. It required every federal agency to develop a plan to implement such a framework within 60 days – a task many are struggling to accomplish.

Zero trust is a security concept that assumes that no user or device is implicitly trusted and that entities must be authenticated and authorized whenever they request access to a computing resource. The National Institute of Standards and Technology and the Ministry of Defense have both issued guidelines for achieving a zero trust architecture.

Because the EO is of a fairly high standard, many civilian agencies don’t know where to start. The good news is that for most agencies, getting started isn’t as difficult as it sounds. To begin the journey to zero confidence, consider these first steps:

1. Understand what a zero trust architecture requires

NIST’s Zero Trust Architecture, while high level, describes the principles of zero trust and the components that a zero trust framework should include. Agencies should start by communicating and internalizing these guidelines within the organization.

A good example is permanent privileges – access rights which by default are always enabled. Many computer systems are deployed with predefined root accounts that allow system administrators to perform privileged operations such as backing up and restoring data.

Zero trust dictates that these accounts should only be active when needed. Agencies can use their existing access logs to see how often system administrators use privileged accounts to log into a system. They should establish a policy to remove accounts that have not been used for a set period of time – a week, for example, or a day, as needed – and then grant administrator access only when needed.

Additionally, the DOD, Department of Homeland Security, and the Intelligence Community (IC) are all on track to achieve zero trust maturity. By examining strategies for achieving zero trust, such as network segmentation, agencies can see how they might apply in their organization.

It may be unrealistic to have isolated multi-domain enclaves, but the concepts of micro-segmentation and access to the need to know inherent in zero trust borrow from these domains. Agencies can aim for the same governance to understand and manage what has access within their zero-trust security boundaries.

2. Leverage existing cybersecurity technologies and processes

Once agencies understand the zero trust requirements, they will realize that they probably don’t have to tear down and replace their existing tech stack. In many cases, they may not even need new security solutions, at least to start the zero-trust journey. For example, some existing business automation tools can be reused to help manage privileged accounts to support zero trust or to collect the telemetry needed for dynamic and behavior-based access decisions.

After all, the concept of zero trust has been around for decades, and many security tools offer protections that already meet zero trust mandates. What changes is the lens through which agencies see these tools. Zero Trust provides a framework for making these technologies work together in a coherent way.

To start leveraging existing security solutions, take an inventory of what’s already in place. Agencies have long been forced to implement access controls, for example. They can also provide solutions for multi-factor authentication (MFA), for example, or user behavior analysis. By comparing existing tools to what the zero trust guidelines require, agencies can quickly get a feel for how they can leverage existing investments and their gaps. The Cybersecurity and Infrastructure Security Agency’s recent maturity model project can help measure these gaps and determine where to invest.

3. Take advantage of open source solutions that promote zero trust

The open source community is a great source of solutions to fill these gaps. One thing the open source community does well is innovate, and it’s no surprise that its innovations include cybersecurity technologies and standards, many of which are designed around zero trust.

A good example is Keycloak, an open source identity and access management solution. A key capability is single sign-on between applications in the same security “domain”. SSO provides centralized access control, an important part of zero trust. Applied to a system that does not otherwise dynamically manage access, a mature SSO solution that includes Keycloak functionality can enforce rules and processes to enable single point access enforcement. Common access authentication and consistent request interfaces provided by Keycloak facilitate user experience transition and drive adoption.

4. Realize that zero trust is a journey, not a destination

Remember: zero trust is not a technology or a product; it is a frame. Agencies can apply the architecture to their current technologies and use cases. But they will also need to apply it as they implement new technologies and applications. As agencies integrate existing systems and build new ones, they will need to align them with zero trust. For example, this can mean rejecting applications that do not allow precise access control.

Going forward, agencies will want to continually improve their zero trust defenses. For example, they can more closely analyze user behaviors, apply more quality controls when making access control decisions, and draw narrower perimeters for more robust layered defenses. Implementing machine learning algorithms capable of detecting risky activities as well as human examinations or rule-based systems can be a good place to start.

The time to start implementing zero trust has already passed. But getting started isn’t as daunting as it might sound. And it has never been more crucial to begin the journey to enhanced cybersecurity that helps protect operations and support the agency’s mission.