Why zero trust is having a moment

Just a few years ago, zero trust security for federal systems was wishful thinking. The benefits were obvious, but actual implementation seemed inconceivable. Today, forward-leaning agencies are actively incorporating zero trust into their security models, and Federal Chief Information Security Officer Chris DeRusha has said the White House will push all federal agencies toward a "zero trust paradigm."

FCW recently gathered a group of IT leaders to explore why this long-discussed concept is now getting traction and how they are approaching what is still a somewhat daunting transformation. The discussion was on the record but not for individual attribution (see sidebar for the list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

Old ideas but new capabilities

When asked for a baseline definition of zero trust, participants described the concept as "context-based least-privileged access" or "ICAM done right," referring to identity, credential and access management.

One security executive said, "I don't know why we can't just defer to the [National Institute of Standards and Technology's] Special Publication 800-207definition, which says right upfront that zero trust is all about moving away from static network-based controls on access to things and focusing instead on people, their devices and the resources they're trying to access. So it's a break from traditional thinking. We have to be a bit more flexible in the way we manage access to data and to the systems that manage that data."

Another criticized the zero trust label itself, arguing that "it focuses us in the wrong place. We have to figure out what we can trust. And it's not just the people, it's not just the user, it's the entire context for the entire communications."

Part of the confusion about zero trust stems from the fact that it incorporates security concepts that have been around for a long time. "This is not some brand-new thing that has come out of the ether," one participant said. "Years ago, we talked about attribute-based access control."

The group agreed that the difference today is that zero trust looks beyond users to manage access control and aims for constant monitoring and a dynamic, data-driven response that would have seemed unworkable just a few years ago. "It's really about the technology and capabilities we have at our disposal now that we just didn't have before," one official said. "We have AI and machine learning available as a service in the cloud. When we think about zero trust, these have existed probably since the dawn of time, but how the technology has shifted and how we're able to leverage that technology are the real big drivers here."

Embracing those new capabilities, however, requires changes to the IT infrastructure and especially to the data agencies must capture and integrate. As one participant said, "It's important to highlight that because folks can say, 'We've been doing this for a long time. You just put a different label on it.' No, this is different because we're driving toward a future architecture that is better optimized for all the new capabilities that have been developed."

It's not just networking

Government's interest in zero trust originally focused on computer networking. Yet when the federal CIO Council asked ACT-IAC to explore the applicability of zero trust security in 2018, "it became apparent almost at light speed that it's bigger than the network," one official recalled. "We're talking about zero trust architectures, not just zero trust networking. Networking is a very critical subset of the discussion, but it's really about that architecture."

To illustrate that broader scope, consider the variables that can feed into a dynamic risk assessment, another official said. "I used a PIV card versus a username and password. There's a different risk to those things. Did I come in on a mobile device? Is it a managed mobile device? Am I coming from a known network?" The data being accessed can also be an important indicator and so can the individual user's overall performance or job status. "It's got to be ongoing authentication. You've got to keep checking."

One official pointed out that there are four main elements of a zero trust architecture. "The first, of course, is ICAM and identity. Next, we need to talk about data," which includes the data to be protected and the data needed to assess risk and determine trust. Third is "the control fabric or the control plane, and that's really all these technologies that we've been talking about."

Finally, the official said, "we get to the fourth piece, which ACT-IAC calls the trust engine. NIST calls it the policy engine. And it's really about where we are using tools and technologies like machine learning, artificial intelligence and even just robotic process automation" to make sense of all the data and grant or restrict access based on dynamic risk assessments.

The concept can extend even further than that, another official argued. "We're talking about zero trust operationally, which is just fine, but you can look at this zero trust model even in the acquisition process."

"Zero trust is a model, and the model changes over time," another agreed. "SolarWinds is a good reality check. Here's a product a lot of people are using. They trusted it on their network. They didn't think it would be exploited. It was just a given, like we trust our inside employees."

Ideally, zero trust should extend throughout the supply chain, that official added, but even a limited implementation would have helped minimize the impact of the SolarWinds breach by detecting "the lateral movement and the escalation of privilege."

Whether the threat is ransomware, persistent nation-state attacks or "anything that's self-propagating," another participant said, zero trust is "incredibly effective in reducing the impact of all those types of attacks. So that makes it really, really key."

Data, data and more data

Such a holistic monitoring and automated risk management effort requires a tremendous amount of data, the group agreed.

"There are datasets that you're going to want to bring in that haven't traditionally been there," one official said. Physical access logs and data that usually lives with human resources are important. "Are we tied into the travel system? Are we tied into the performance system? Are we tied into onboarding and off-boarding? When we start to paint a picture about the risk and when understanding risk is quantified, we have to start thinking about these data sources" that don't normally feed into a security information and event management system.

"For example, someone gets a bad performance review, and then all of a sudden we start to see a lot of data traffic and a lot of file [input/output]," that official said. "Those two things together are pretty suspect. And so when we think about the zero trust architecture, we have to start broadening that concept."

"In many cases, this is new for organizations," another participant said. "There's heavy bifurcation and firewalling between those areas. To move zero trust forward into its truly optimized form, we have to be working with our chief data officers to understand what data we have in the environment that might be useful for us." Chief privacy officers are also essential to the effort, the official added.

Even with the data feeds more traditionally used for security, the old ways of operating need to be revisited. Security teams can no longer own all the tools, one official said. "For most of us, when we deploy security, by golly, that means pizza boxes in the data center. We have to take a step back and be willing to say, 'What I really need is the data. And I need it in this format and in this frequency in this place. And if you can get me that, do what you want, but I need the visibility so I can understand risk.'"

Where to start?

The idea of implementing such an all-encompassing model is daunting, the group acknowledged. Even Google, which pioneered the use of zero trust, took years to get "to where they felt like they had truly adopted" it, one official said — despite being a centrally organized, lightly regulated company with "fairly young IT infrastructure."

"It is going to take us a lot longer, frankly, to move in that direction," the official said.

But incremental progress can be made, others argued. "You can't just put zero trust on everything — you've got to prioritize," one official said. "So you start by identifying the high-value assets, the most important data, and continually iterating as you get this in place."

Another suggested working on "one use case at a time or one user community at a time, starting with remote users where it's easier to put in inline enforcement, especially with some of the cloud-enabled solutions where the policy can follow the user."

"It's taking it from a monolithic, endless project to, 'We can do it here, and then we can do it over there,'" that official said. "And every time we do it, we're building toward a larger strategic initiative."

There is no zero trust merit badge to be earned, another participant said, and "some of the most useful zero trust stuff that we've done over the last couple of years doesn't have zero trust anywhere in their project documentation. But we made it much easier for software developers to integrate with the platforms that we use for authentication. We made an effort to go through and review information in our global directories to make sure they actually were correct. Those were huge boons to our maturity as a zero trust organization."

The governmentwide commitment to zero trust is real, the group agreed. It comes up in virtually every discussion by the CIO and CISO councils, participants said, and there was optimism that the recent infusion of money into the Technology Modernization Fund could be a catalyst. "Something that really drives hard has to be backed with the right resources," one executive said. "There's a big hope that the CISOs, the security folks and the CIOs are going to step up and say, 'We want to make some big shifts in cybersecurity.'"

"We've got the people who are the early adopters moving forward," another observed. The real question is: "How are we gaining the momentum for the masses?"