Disruptive by Design: In God and Zero Trust We Trust
More than just a buzzword phrase, though, zero trust is better understood as an approach to security.
When I hear of zero trust, I think of “In God We Trust,” the motto printed on U.S. currency and Florida’s official motto. More than just a buzzword phrase, though, zero trust is better understood as an approach to security.
In a recent SIGNAL Magazine article, Shaun Waterman noted zero trust’s criticality for data strategies, a notion I couldn’t agree with more. In the Defense Department, our data-based strategy includes more than life or death decisions civilians make every day; thus, the paramount value of data integrity we can trust. Zero trust is a way to attain and sustain data integrity with adaptability.
Now to the finer details for zero trust, including security, access and architecture.
In one learning center dive, I found the following principles to zero-trust security: continuous monitoring and validation, least privilege, device access control, micro-segmentation, preventing lateral movement and multifactor authentication. It’s a lot!
For the sake of understanding, I’ll give an example of each. First, continuous monitoring and validation are captured in individuals and organizations carrying out operations, focusing on both internal and external attackers. Users and machines can be attackers. In the Defense Department, laptop sessions time out, and we have lessons in annual cyber awareness training.
Next, least privilege, which can also feel the least helpful to organizations when abrupt departures take place and teammates suddenly need more access to cover for a colleague. Least privilege is like need-to-know basis operations, ensuring clearances are the lowest necessary for individuals—their permissions, accesses and authorizations.
Device access control is similar to least privilege since it still limits users but does so by limiting the type, authorization and status of the device. For example, I’m unlikely to be able to use my personal cellphone to access a Defense Department laptop’s desktop, shared drives and intranets.
Next is micro-segmentation, which translates to damage control in my mind. Palo Alto Networks defines it as “a method of creating zones in data centers and cloud environments to isolate workloads from one another and secure them individually.” At the same time, Illumio describes benefits as: reducing attack surface area and preventing spread of data center and cloud environments breaches.
I’d posit some federal cybersecurity incidents could have been less disastrous with greater micro-segmentation—perhaps with demographics used by marketing organizations—thereby mitigating the magnitude of information theft by attackers.
Then there’s the zero-trust principle of preventing lateral movement. This means an attacker inside a segmented zone would be unable to reach other segmented zones without successfully reestablishing access on an ongoing basis. COVID-19 is an apt metaphor; the virus contacts or attacks the body, and the body needs to be quarantined to prevent further spread.
Finally, multifactor authentication (MFA) is a favorite. It is experienced when one must use multiple ways to authenticate a user. Many of us have MFA for online banking when signing in via a two-factor authorization such as username and password coupled with a one-time passcode sent via email or text.
Now that we’ve got a good handle on zero trust origins, comparisons and composition, let’s look forward.
Zero trust is part of a resilient federal future and is gaining momentum among various areas of the federal IT landscape. The National Institute of Standards and Technology (NIST) points out in SP 800-207 that enterprise architectures have grown too complex for perimeter-based network security “as there is no single, easily identified perimeter for the enterprise.” A zero-trust approach, the NIST document adds, is “primarily focused on data and service protection but can and should be expanded to include all enterprise assets… .”
The Defense Department is creating a team and starting implementation of a zero-trust architecture this fall, John Sherman, chief information officer, said in August. The zero-trust strategy is different from a mere purchase or bolt-on tool, and I’m hopeful about the marriage of technical and cultural change being a priority. Efforts I didn’t realize are already underway for future study and experience. They include the Defense Information Systems Agency’s Thunderdome program, among other pilots. I’m eager to see zero trust move full-speed ahead in the federal government, and I hope you are too.
In zero trust we trust.
Jennifer Miller is a business operations manager for the Defense Health Agency. She is a certified government financial manager, a certified defense financial manager with acquisition specialty and a member of the American Society of Military Comptroller’s Washington Chapter.
Opinions, conclusions and recommendations expressed or implied within are solely those of the author. They do not necessarily represent the views of the U.S. Defense Department or any other U.S. government agency.