Zero Trust is a new overarching model. It’s more like defense in depth vs. getting a new product or solution. The model fundamentally changes how we access our data and processes. And it greatly increases the effectiveness of current security tools.
The conventional whack-a-mole method of identifying a new risk, implementing a security product to plug the gap and then identify the next pressing risk has failed. There are just too many areas to attack and new gaps to fill.
Zero trust transforms this approach by minimizing the areas that can be attacked. It will be a multi-year effort to transform the complex infrastructures in the Federal space to a mature zero trust model.
It’s important to take a good look at your systems, people, and processes. Set up a long-range plan to put zero trust and a comprehensive automated network detection and response capability in place. Leverage cloud migration to implement the individual pieces. If you have a manual process look to eliminate or automate it. Three good pieces to plan for are identity, inventory & response.
- Identity – Multifactor authentication with common access card personal identity verification (CAC/PIV) integration
- Inventory – Get Automated Security Asset Management tools that can continuously probe for endpoints and their compliance. It’s amazing to learn what you’re actually attached to. This is a key first step to a more complete Network Visibility
- Response – Implement SEIM/SOAR detection and response products. Use hybrid solutions that include cloud security & intrusion detection. L:ook to products that fully integrate with your existing tools and provide a “single pane of glass” view of your full network since most networks have at least 40 security tools in operation.
Many will not have staff to operate all of these to meet a current threat. I recommend implementing automation and integrating these tools into a single consolidated view.
Zero Trust First Steps
The Executive Order and subsequent directives present a series of very broad strategic goals for the Federal space. However, the directives also contain three specific immediate actions:
- Adopt multi-factor authentication & eliminate passwords
- Encrypt data
- Prioritize the most sensitive data or data under the greatest threat for greater protection.
It is no accident that these three actions were prioritized by the EO. Easily hacked passwords, theft of unencrypted data, and serious breaches involving sensitive data are consistently ranked as the biggest vulnerabilities facing government organizations. Implementing these steps will address immediate threats and go a long way down the path to Zero Trust.
Adopt Multi-Factor Authentication (MFA)
CAC/PIV cards have been the very successful go-to for Access for some time. It has a robust issuing system that strongly identifies the holder and eliminates passwords. It can not only be used for workstation access, but also at gates, doors, and as a wearable badge.
We acknowledge that few personnel are passing through the facility gates or doors these days, or logging into their cubicle workstations. That reality creates a strong need for equally secure methods for allowing mobile devices that incorporate new identification features such as facial recognition, but don’t have the traditional CAC slot.
The new FIDO2 protocol for multi-factor solutions allows an approved mobile device alternative to work alongside the traditional CAC/PIV type of solutions for Federal users. Unlike previous authentication methods, multi-factor automatically re-authenticates the user every time they attempt to access a different application or object.
Good multi-factor solutions assess current risk using features like geo-location, biometrics, time limits, patch status and others to provide a dynamic risk threshold for each access attempt. They eliminate a traditional VPN weakness where once someone gets in, they are into everything on the network. Just because you access a file from home doesn’t mean you’ll get the same access 10 minutes later from Ukraine.
Authentication passwords are only a portion of passwords in your network. Implementing multi-factor authentication would also be a good time to clean up your legacy permissions wherever possible. Search for all passwords, default certs, and other secrets in your code, applications, tools, service accounts and other processes, along with privileged admin accounts.
Implement a password vault solution.
Eliminating as many passwords as possible, especially privileged passwords is a great bang for the buck in preventing hackers from using escalation and lateral movement attacks against your systems and data. Some legacy applications can only function with passwords and will need eventual replacement.
Encrypt data at rest and in transit to the maximum extent
Traditional security goes to great lengths to keep the bad guys out. Zero trust assumes they’re already inside ready to extract your data. A great defense is to render your data useless to them with encryption. Most networks have a lot of encryption solutions already available. Some may have self-encrypting hard drives and SSDs. Microsoft has BitLocker. One option is to encrypt databases and use TLS between servers. Bottom line is that you should implement whatever encryption you already have in place and then architect a complete encryption solution. Cloud migrations will require new solutions that take micro-segmenting & encrypting cloud native structures into account.
Encryption is a double-edged sword. By encrypting traffic, your sensors become blind to indications of attack. You also need solutions that can break and inspect the increasing flow of encrypted connections to prevent malware and data loss. Performing “break and inspect” is VERY resource intensive so it is best to look toward cloud-based solutions.
Prioritize the most sensitive data or data under the greatest threat solutions for that data
The process of implementing role-based access control for all your data and all your users is a major undertaking that you will eventually need to complete in the zero trust maturity process. First identify what is usually about 10% of unclassified data that would cause real harm if stolen or released. Focusing just on that data will greatly simplify the task. Set strict guidelines and resist adding any data outside the guidelines at this stage. This will increase the chance of completing your project successfully in a reasonable timeframe.
A lot of high-risk data is easy to find as it already marked (e.g. PII or Sensitive). Create solutions to isolate this data and strictly limit access.
Be especially aware of any outside connections to this data, improperly implemented external connections have caused some of the worst supply-side breaches.
If you have HIPPA implemented, you already have the isolation of sensitive patient data in place and these designs would only need accommodate any additional data you identify.