A Zero Trust Cybersecurity Primer for Federal Agencies
Authors: Kavan Weerasinghe, Director, Program Delivery at Makpar; and Sahan Seneviratne, CISO, MOQdigital
This article is an introduction to the Zero Trust security posture for government agencies. Zero Trust has become a hot topic and is considered the next shiny new technology, which is being reinforced by hype mostly generated by vendors.
Offering a wide-angle view of the Zero Trust model, this article covers the basics of what Zero Trust is, its overall merits and the intended audience being the Corporate and Government Agency C-suite who have basic a knowledge of cybersecurity and a quest to learn more. This article does not go deep into the details, technical or otherwise. However, it will clear up a few misconceptions all from a consumer’s perspective. Essentially, it is meant to generate interest in Zero Trust and generate further conversation on its merits, and steer a consumer to some substance associated with Zero Trust.
Trust View
The goal of cybersecurity has always been to prevent unauthorized disclosure, alteration, or destruction of assets. All existing physical, technical, and administrative security controls work toward the protection of assets, which are data, systems, processes, and most importantly people. Most preventive measures including IAM (identify and access management) have been at the ingress and egress points of a network (i.e., VPN, Firewall, Router, etc.).
Most if not all current security models, postures and related controls, especially the technical and administrative controls in place today, have protected assets by relying on network or perimeter devices such as firewalls, gateways, routers and their related controls. The outer zone is untrusted and the inner zone is the trusted “safe” zone – at least this is thought to be so. Therefore, the current security posture is dependent on scrutinizing and monitoring “North to South” traffic – from the untrusted Internet to the supposedly internal trusted corporate network zone.
Suffice to say, we now know that this Trusted Zone is not as “safe” as it ought to be. The “Trust” that is expected or assumed turns out to be a major flaw exploited repeatedly by attackers. As time went by, the attackers got into the Trusted Zone by concealing themselves, and changing attack vectors, including stealing legitimate identities. Once in the Trusted Zone, they stay dormant, elevate their privileges, and launch attacks on the assets located within this zone.
The malicious actor freely travels laterally – also known as “East to West” traffic – within the Trusted Zone, mostly going unnoticed and thus exposing the fundamental flaw of current IT postures. This real-world scenario gives rise to the saying that there are two types of corporate networks, one that has been known to have been compromised, and the other compromised, but unknown to the guardians of the network. This is based on the aforementioned thinking that once you are scrutinized at the perimeter and the network layer, you can be trusted thereafter.
Given this situation consumers now know two things:
There is no such thing as a Trusted Zone;
East-West lateral traffic needs to be authenticated and authorized at a granular level within the Trusted Zone and at each key resource protected by policy based access and monitoring controls.
Ultimately, this change in thinking forms the basis of the Zero Trust security posture.
Mixed Results
To switch gears, the familiar saying, “you can’t repeat the same things, expecting different results,” is apt in the state of affairs today when it comes to cybersecurity.
Cybersecurity is at a crossroads where technology has made significant gains. However, the current posture has yielded mixed results.
We will get back to this saying later in this article. For now, some would agree that cybersecurity postures are complicated, slow to adopt, burdensome, and therefore in need of an overhaul.
The Supply Chain attacks in 2021 further highlighted how attackers are able to get past perimeter security, and once inside the network, been able to dwell undetected for days, weeks, and even months. Hence the question, why are these attackers able to do this within our current security postures?
In comes a “new” security posture known as Zero Trust. It has certainly gained attention in the recent past albeit clouded in a haze of information, misconceptions, and varying opinion on what “it” is and how it should be implemented.
While Zero Trust is not a silver bullet by itself, it is an opportunity to change how security is implemented, an opportunity to gradually but significantly change the current security posture to one that is more nimble, adaptable and less dependent on traditional perimeter security. The misinformation spread to consumers, in some cases by well meaning but narrowly focused vendors, have led most to believe that it is a technical solution and an all or nothing proposition, which it is not.
Tradition
When it comes to the foundation of cybersecurity, it is based on the “CIA Triad” (i.e., protecting an asset’s Confidentiality, Integrity, and Availability). It is also known that a security posture or model is effective when authentication, authorization, and non-repudiation can be implemented in unison to ensure the triad, thus protecting computing assets.
Hence, it does comes as a surprise that most of current-day systems are focused mostly on Availability. This is due to the genesis of the Internet where the critical achievement was to be able to connect two remote systems via an interconnected network. Confidentiality and Integrity were bolted on later as an afterthought via firewalls and encryptions technology. This bolt on nature is why current security solutions are cumbersome, and have become ineffective.
Network layer-based technology solutions, such as firewalls and the other boundary security solutions, check users/requests at the periphery or at layer 4. The intention is to let traffic through in the most efficient manner from the outside through to an asset residing within the inner “Zone of Trust.” And once the user is inside, there are non-existent or limited checks or monitoring thereafter of the requests to access applications assets and the data itself.
This network-level check has proven very ineffective from a security perspective as there are few or no adaptive controls once an entity is inside the Trusted Zone. Current models assume that once a user is inside, they will then go on to act responsibly and can therefore be trusted. The Zero Trust posture on the other hand, recognizes that doing so (i.e., trusting a user within the secure zone) is a huge vulnerability, hence Trust is never given nor assumed. Access to each asset within the secure zone is managed with additional, adaptive controls at the asset level, and scrutinized at layer seven (7), resulting in user/requester communication requests and payload being scrutinized for anomalous requests, malware and other such malicious patterns and behavior.
A case in point is the type of threat actor known as Advanced Persistent Threat (APT), a state-sponsored attacker who gets into the Trusted Zone by hijacking legitimate credentials, via Malware/backdoors etc. They patiently dwell inside this Trusted Zone waiting for the opportunity to penetrate deeper, ultimately into data resources within the Trusted Zone. No matter how many more peripheral, zone-based technologies one continues to add, the result is not going to change.
Vulnerability of Trust
Zero Trust as a security posture secures your information assets in a fundamentally different way, and thus flips the adage of doing things differently to expect a different result.
The fundamental difference is the basis of the model, which is “trust no one.” This is why Zero Trust is considered a fundamental change in security approach, and not merely a shiny new technology.
Each asset is protected at a granular level. A gatekeeper intercepts each access request, and the resource requester is forced to authenticate and authorize before accessing said resources, and done so via a continuously monitored and administered policy engine that learns and adapts to a changing environment. Zero Trust involves a continuous verification of every request, verifying at multiple points all within the Trusted Zone, detecting requests at all levels, to all applications, by all devices and or users.
Furthermore, Zero Trust is not merely adding another piece of software, hardware, policy or a process, and it is not a product. It works within the existing security posture, layering targeted security controls at the asset level. This posture reduces the burden on the perimeter security model.
This shift essentially implements security by design, overlaying a gradual, well-defined security engagement posture to new, and existing networks. This posture finally enables security beyond mere Availability, including Confidentiality and Integrity in equal measure. This philosophy requires a paradigm shift in an agency, and a deeper understanding of how to transition from the traditional peripheral North-South Security model to a North-South and East-West security model.
High Value Assets
Key resources and assets within the scope and inside the Trusted Zone that benefit from a Zero Trust granular protective posture will include, applications, peripherals – including mobile phones and IoT-based devices, Network Infrastructure, and most importantly the data.
Zero Trust is a combination of Identity and Access Management, network micro-segmentation, and improved logging and monitoring, using Automation and AI. All of this together and in some cases on top of existing network-centric (layer 4) security will become the journey of Zero Trust.
In summary, most enterprises require a leadership team who understands that Zero Trust is a journey requiring cultural change, an iterative approach, a team that views cybersecurity as a business enabler, a team that comprises senior leaders including CISO, Zero Trust facilitators, IT engineers who are well versed with the business and have some prior experience with the technology associated with Zero Trust.
A team that understands and can plan for a gradual rollout, a deliberate build-up of the Zero Trust ecosystem one brick (or one room) at a time is critical. Zero Trust includes architectural principles, architectural approaches, and architectural frameworks that together combine to form a granular protective net. All users and their requests no matter where they reside are validated, and lead to a continually adapting security posture.
Zero Trust is here to stay and therefore the next article will continue to expand on the building blocks of Zero Trust, look at the challenges posed by the layering of a Zero Trust posture, and some key Use-Cases.
About the Authors:
Kavan Weerasinghe is a technologist, mentor and member of the Makpar Leadership team. He has lived and worked in several countries and as such has experiences at a strategic, tactical and operational level of many organizations. His mission is to educate, and spur debate with the aim of mitigating the overbearing nature of current IT solutions and the underlying business and security postures of organizations.
Sahan Seneviratne is passionate about cybersecurity and believes in having simple solutions for even the most complex problems. He has more than a decade of experience in the IT Services sector and specializes in Information Security and Governance. Having worked in several global companies, including one of the largest ERP solution providers in the world, he is currently the CISO for the regional office of an Australian IT Services provider.
Makpar offers a wide-range of educational content to provide federal agency leaders with all of the strategic tools and insights they need to develop the strongest possible cybersecurity postures today – and into the future. Click here to access our comprehensive library of cyber-related content.
The Makpar Innovation Lab also continually introduces new products and services for our government clients through the testing and development of the latest emerging technologies – including new tools for better capturing and cataloging of data. Learn more here.
Finally, Makpar’s highly skilled and certified cybersecurity experts understand the technology and methodologies required to preserve the Confidentiality, Integrity, and Availability of information in all computing environments. Please click below to learn more.