Zero trust lessons from CDM and Comply-to-Connect programs
- By Dean Hullings
- Jan 22, 2020
Zero trust architecture is one of the hottest concepts shaping cybersecurity in both the public and private sectors. In essence, ZTA moves away from perimeter-based, network-centric security that grants wide access to data resources and toward more granular, data-centric access based on attributes of each access request.
Almost 10 years after ZTA was first described by Forrester Research's John Kindervag, the National Institute of Standards and Technology has released Draft NIST Special Publication (SP) 800-207: Zero Trust Architecture that seeks to define its core principles and logical components. SP 800-207 defines zero trust architecture as “a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.”
This definition focuses on the crux of the issue, which is to eliminate unauthorized access to data and services, coupled with making the access control enforcement as granular as possible.
Federal agencies lead the way by embracing zero-trust in pivotal initiatives
Despite a years-long gap between the conception of ZTA and the recent popularization of the concept, zero trust architecture and its foundational elements have actually been incorporated into the security practices of many organizations, including the federal government. The Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program and the Department of Defense’s Comply-to-Connect program (C2C) both use zero trust principles to protect access to data resources.
ZTA works by assessing the access request against enterprise-established policy. Information about the request is fed to a policy engine, which analyzes the request, and then access to the data resource is granted or denied. Within this logical scheme, SP 800-207 notes the importance of “continuously [emphasis added] authenticating the identity and security posture of each access request.” Additionally, NIST articulates this dynamic authentication as one of the six basic tenets of ZTA, which it further defines as a “constant cycle of access, scanning and assessing threats, adapting, and continuously authenticating.”
The CDM program serves as a model for real-time asset awareness, which is foundational to the program’s success and a core component of ZTA. In the first of CDM’s four phases, which focused on asset detection, DHS discovered, on average, 75% more assets than originally reported. In some cases, that overage was as high as 200%. Without accurate information about assets and their security posture, analysis of data access requests is doomed to inaccuracy, and ZTA becomes functionally impossible.
Another example of the federal government’s adoption of the foundational components of ZTA is found in the DOD’s C2C program. As explained in the FY20 National Defense Authorization Act, the program requires "a computer be in compliance with the network’s configuration standards before it is allowed to participate in the network. A complementary concept is ‘continuous monitoring’ … on endpoint devices such as computers and mobile phones.”
Notable in the C2C policy is the emphasis on assessing the endpoint’s security posture before granting access to networked resources and the need to continuously monitor the security state of the endpoint -- core tenets of ZTA. With this foundational information about the security posture of assets, a zero trust policy can enforce granular access to data resources using tools like network segmentation and limit penetration to other networked resources, a key objective of ZTA.
Securing unmanaged IoT devices
Beyond the foundational aspects of ZTA, such as continuous asset visibility, there are several ancillary functional components of zero trust architecture detailed by NIST that are worth noting. These include: a policy engine, policy administration, policy enforcement, threat intelligence feed(s) and security incident and event response management.
Another key consideration is that the ZTA implementation must include all categories of devices connecting to the network to eliminate or mitigate threats from non-traditional IT endpoints, such as internet-of-things devices. IoT devices make up the largest growing segment (and threat vector) of connected devices on today’s networks.
Zero trust cannot be achieved by a single solution, and organizations that seek to protect data resources through a zero-trust, least-privilege principle should look to CDM and C2C as guiding frameworks for implementation and ensure that foundational elements are in place and accurate before progressing on the ZTA journey.
Dean Hullings serves as senior solutions strategist at Forescout Technologies, Inc.