The Zero Trust Approach To Information Security For The Mobile Workforce: Sponsored Content
This scenario is all too common of late: A service man teleworks from home, supporting his command’s logistics and connected to his government network via a Common Access Card (CAC). While the pandemic abates across the United States, he and many in the workforce will continue telecommuting as governments have committed significant resources toward cloud-based services and cybersecurity solutions for accessing cloud data.
A Zero Trust approach is imperative in a world where data and users are not co-located within the same perimeter, as indicated by the May 12 White House Executive Order #14028. Deploying strong authentication upfront as a foundation when building out a Zero Trust strategy is also key to successful missions.
The urgent need for supplemental authentication to the CAC
While the CAC offers great security, it is a 20-year-old DoD platform and falls short for authentication to cloud environments or for use with mobile devices. Instead, federal agencies need newer authentication technologies, namely hardware security keys such as YubiKeys from Yubico, which are built for cloud and mobile-first environments. These can support both CAC authentication via a derived CAC credential and newer FIDO2 authentication standards. They also help to prevent man-in-the-middle (MiTM) attacks seen with soft token use. Notably, Yubico is a founding member of the non-profit FIDO Alliance, formed to create new, modern approaches for authentication, and has helped lead development of the FIDO2 standards. FIDO2 security keys can augment, and potentially replace, the CAC to better support identity and access management (IAM) and authentication, especially across cloud-based environments and modern devices. Governments can expect robust future-proofed cybersecurity environments with FIDO2, ensuring compliance with the National Institute of Standards and Technology (NIST) SP 800-207 Zero Trust Architecture, the emerging preferred industry and government framework for data protection and identity management.
Beyond the authentication layer, military commands and agency leaders are tackling data access on several fronts—learning user patterns and heuristics for data needs, building data ontologies to put data into context, and incorporating artificial intelligence (AI) and machine learning (ML) capabilities to proactively present information to users. The larger data ecosystem will understand a user’s unique roles and data needs, and will scour multiple data sources to provide the user with the most timely, relevant, and secure data to perform logistics missions. This involves automation to help tag data at the lowest level with the proper security metadata for every user and their role, which will in turn improve data access approval and continuous monitoring. Many of these data sources will be cloud based. Complementing these approaches with technologies such as FIDO2 and hardware security keys, along with secure role-based access to web/cloud enabled data, will significantly reduce attack surfaces for adversaries to exploit.
The shift from perimeter defense to Zero Trust architectures
As the Department of Defense moves to a data-centric environment, its cybersecurity model will shift from a primarily perimeter defense focused to the Zero Trust cybersecurity model. As defined in NIST’s Zero Trust Architecture, Zero Trust cybersecurity is:
“The term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.”
NIST’s Zero Trust Architecture and principles align with the objectives of higher-level DoD data strategies and vision, including the 2019 DoD Digital Modernization Strategy and the soon to be released Joint All-Domain Command and Control (JADC2) strategy, important to ensuring all the military services and their partners align their Zero Trust efforts to a common standards-based framework for improved interoperability and data security confidence.
The focus on a Zero Trust environment means users and their behavior become a primary focus to ensure that they are authorized to be on the network and to access data wherever
it resides. In a fundamental perspective shift, DoD leadership no longer considers the Department of Defense Information Networks (DODIN) to be the physical network owned and managed by the DoD—rather, the DODIN is anywhere DoD information is used, stored, and accessed. In the DoD’s framework, at the center of attention is the user, transaction, application, and device and how these engage the network. Securing related data through robust cybersecurity capabilities and proper cybersecurity meta tagging are of utmost importance.
Requirements for a successful Zero Trust implementation
Integral to the success of a Zero Trust Architecture will be the ability to command and control (C2) data in the cloud. Automation will be key toward helping network defenders be quickly informed of possible anomalous behavior or suspected indications of compromise. Additionally, AI and big data will be essential to unearth trends such as top-level statistics to nuanced changes in individual behavior. Network defenders will need robust dashboards to monitor the digital landscape, and automated responses approved for immediate execution. Humans will also need an ‘override’ capability if an operational situation requires continued access to the data in the event of suspected compromise.
For the DODIN of the future, and to ensure a holistic, scalable, affordable, and operationally executable cybersecurity framework, it’s important to implement the following Zero Trust concepts:
Highest-assurance authentication everywhere— It is imperative that at least one authentication factor uses asymmetric public key cryptography. Here, the CAC and its Public Key Infrastructure (PKI) certificates provide a great starting point, but FIDO2-enabled hardware security keys such as the YubiKey offer a more lightweight alternative to PKI, and can bridge the gap where the CAC may not be easy or practical to use.
Leveraging behavioral analytics—It is important to complement the determinative authentication layer provided by PKI or FIDO2 with a probabilistic layer that leverages behavior analytics to monitor how a credential is being used. Effective analytic systems are able to determine if credentials are acting abnormally, and can be automated to take various actions as well as enable
‘continuous authentication’.
In case a credential exhibits behaviors that fall sufficiently outside the baseline of expected behavior, the system can trigger an alert, ask for additional forms of authentication, or even curb access and revoke privileges. At their best, analytics should be integrated with both the authentication and access platform, as well as the Identity Governance and Administration (IGA) platform. This integration can offer benefits far beyond security. Additionally, analytics can streamline authentication and access events, reducing friction
for users.
Managing device “health”—Ensuring that every device used on the DODIN has either been issued by DoD or by a trusted party. For cases where someone may bring their own device, it is then managed through Mobile Device Management or a similar capability. This is especially critical as the Internet of Things proliferates millions of new end point devices.
Fine-grained authorization—To ensure that people are only accessing data, applications, and systems that they have been authorized for, and ensuring that privilege cannot be escalated without proper controls, fine-grained authorization is key, where authorization is based on the user’s approved roles and permissions, and data ontologies built to support these. Roles should further continue to be refined through automation of the user’s heuristics of data use.
The future of authentication is now
As the DoD moves forward in an increasingly complex data environment, its policy, acquisition of technology, implementation, risk understanding and acceptance, and operating procedures must transform. Technology including FIDO2 compliant hardware security keys such as the YubiKey for authentication and access control, and data meta tagging, deliberately implemented in the context of a zero trust cybersecurity architecture will ensure that risks to mission from data compromise are significantly reduced. The workforce, wherever they are, will be secured and will contribute to mission success.
About Yubico
Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts. The company’s core invention, the YubiKey, delivers strong hardware protection, with a simple touch, across any number of IT systems and online services. The YubiHSM, Yubico’s ultra-portable hardware security module, protects sensitive data stored in servers.
Yubico is a leading contributor to the FIDO2, WebAuthn, and FIDO Universal 2nd Factor open authentication standards, and the company’s technology is deployed and loved by 9
of the top 10 internet brands and by millions of users in 160 countries.
Founded in 2007, Yubico is privately held, with offices in Sweden, UK, Germany, USA, Australia, and Singapore. For more information: www.yubico.com
