5 steps for building a zero-trust environment
- By Kevin Corbett
- Aug 26, 2019
A recent Senate report unveiled a decades-long string of cybersecurity failures across a number of federal agencies that led to an exponential increase in cyber incidents. One hacked agency had 500MB of data stolen after an unauthorized device was connected to it network.
The report determined that virtually no agency is safe, an especially alarming conclusion given sensitive information -- including Social Security numbers, medical records and national security data -- government agencies hold.
These vulnerabilities and ongoing attacks demonstrate why agencies must move to a zero-trust model of IT security, where nothing inside or outside the network perimeter is automatically trusted. Everything must be verified before access is granted.
How trust and access have changed over the years
In the past, an employee going rogue and compromising data security was prevented by limitations on where data was stored and where systems could be accessed -- where the mainframes were housed or physical access points for those who were connected to networks, for example.
However, with the cloud, internet of things, mobile access and an increasingly geographically distributed workforce, the security perimeter has become so porous that boundaries have all but disappeared. Just by the nature of applications, devices and systems remote workers need to access, for example, they open up vulnerabilities and multiple points of entry for attackers against which firewalls and other security measures stand no chance. Complicating this issue is that what was once considered an insider threat may now be external attackers with stolen credentials.
Granting trust requires layers of security along with verification and, realistically, continued reverification until zero trust is established.
Zero trust and federal agencies
In the wake of the Office of Personnel Management breach, which has been characterized as the largest government data theft in U.S. history, the House of Representatives suggested steps agencies should take to prevent similar attacks in the future. One of the strongest recommendations was the adoption of a zero-trust framework to protect themselves from similar attacks.
A technology framework, however, is not enough. A recent report from the American Council for Technology-Industry Advisory Council found that while zero-trust technologies “are available and lend themselves to incremental installation,” there needs to be greater support from the mission side of federal agencies.
Here are five steps that government agencies can take to start building a zero-trust environment.
Step 1: Take a risk-based approach to security. Agencies should first analyze the risks they face and aim to secure the last line of defense -- privileged access -- since it is the gateway through which both internal and external nefarious characters try to gain access. A programmatic risk assessment of privileged access should make it clear how an agency could benefit from a zero trust model.
Step 2: Deploy zero trust with multistep authentication and secure Tier 0 assets. Tier 0 assets are an organization's most sensitive assets because they control identities, Active Directory, domain controllers and their associated administrative functions. These assets should be protected with multifactor authentication and other processes -- like step-up authentication and managerial approval before allowing access to critical assets and resources.
Even when agencies must grant temporary access to external vendors or third-party applications, continuous multistep authentication ensures authorized privileged users are on secure devices when accessing their accounts as well as Tier 1 assets like enterprise servers and applications.
Step 3: Secure core privileges on applications, devices and endpoints. Attackers who get a foothold on an endpoint through a privileged account and its associated credential will become indistinguishable from a fully validated and trusted user. Application control -- implementing restrictions that only trust specified applications, identify all human and machine users and discover and classify any and all hardware and software assets within the agency -- is critical.
Agencies also need a grasp of the devices their employees use, the health of those devices and which software versions are being run. Determining levels of trust associated with devices and endpoints are crucial to implementing zero trust.
Step 4: Secure and monitor the privileged pathway. Key indicators of malicious activity are often overlooked or mischaracterized as benign due to an implicit trust that malicious activity will be flagged by detection mechanisms. That makes visibility especially important with zero trust. Monitoring the privileged access pathway prevents malicious insiders and external attacks from expanding their attack.
By placing tight controls around what end users are accessing, agencies can respond and remediate attacks before suffering irreparable damage. These controls also create isolation layers between endpoints and enable secure connections for end users connecting to critical assets and resources.
Step 5: Implement granular attribute-based access controls. Knowing which individuals or applications have access to what data and understanding the actions users and apps can perform allows agencies to combine policy with specific user criteria to enforce attribute-based access control.
Beyond access control in the traditional sense, this also means placing controls around privileged task-related activities and management. Agencies should create active controls that allow privileged users to execute certain pre-defined tasks while blocking activities that present a high risk. This foundational feature of the zero trust model must also be applied to applications.
Implementing zero trust can be done in increments, but it should start with agencies incorporating privileged access security controls around their most sensitive assets.
Kevin Corbett is director of U.S. federal business, CyberArk.