4 steps to zero-trust maturity -- without starting from square one
- By Michael Epley
- Sep 27, 2021
President Joe Biden’s May 12 Executive Order on Improving the Nation’s Cybersecurity called for the federal government to advance toward a zero-trust cybersecurity architecture. It compelled every federal agency to develop a plan for implementing such a framework within 60 days -- a task many are struggling to complete.
Zero trust is a security concept that starts with the assumption that no user or device is implicitly trusted and that entities must be authenticated and authorized every time they request access to an IT resource. The National Institute for Standards and Technology and the Department of Defense have both issued guidelines for achieving a zero-trust architecture.
Because the EO is fairly high-level, many civilian agencies are unsure where to begin. The good news is that for most agencies, getting started isn’t as difficult as it might seem. To embark on the journey to zero trust, consider these first steps:
1. Understand what a zero-trust architecture requires
The NIST zero-trust architecture, while high-level, describes the tenets of zero trust and the components a zero-trust framework should include. Agencies should start by communicating and internalizing these guidelines within the organization.
A good example is standing privileges -- access rights that by default are always on. Many IT systems are deployed with preset root accounts that allow system administrators to perform privileged operations such as data backup and restore.
Zero trust dictates that these accounts should be active only when they’re needed. Agencies can use their existing access logs to see how often sysadmins use privileged accounts to log in to a system. They should establish a policy to remove accounts that haven’t been used for a set period -- one week, say, or one day, depending on requirements -- and then grant administrator access only when it’s needed.
In addition, DOD, the Department of Homeland Security and the intelligence community (IC) are all well along the path to zero-trust maturity. By looking at the strategies for how they’re achieving zero trust, such as network segmentation, agencies can see how they might apply in their organization.
It may be unrealistic to have air-gapped multi-domain enclaves, but the concepts of micro-segmentation and need-to-know access inherent in zero trust borrow from these realms. Agencies can aim for the same governance for understanding and managing what has access inside their zero-trust security boundaries.
2. Leverage existing cybersecurity technologies and processes
Once agencies understand zero-trust requirements, they’ll realize they most likely don’t have to rip and replace their existing technology stack. In many cases, they might not even need new security solutions, at least to begin the zero trust journey. For example, some existing enterprise automation tools can be repurposed to help manage privileged accounts to support zero trust or collect the necessary telemetry for dynamic and behavior-based access decisions.
After all, the concept of zero trust has been around for decades, and many security tools provide protections that already meet zero-trust mandates. What changes is the lens through which agencies view these tools. Zero trust provides a framework for making these technologies work together in a cohesive way.
To start taking advantage of existing security solutions, inventory what is already in place. Agencies have long been required to implement access controls, for instance. They might also have solutions for multi-factor authentication (MFA), say, or user behavioral analytics. By comparing existing tools against what zero-trust guidelines call for, agencies can quickly get a sense of how they can leverage existing investments and where they have gaps. The Cybersecurity and Infrastructure Security Agency’s recent draft maturity model can help measure these gaps and gauge where investments should be made.
3. Take advantage of open-source solutions that promote zero trust
The open-source community is a great source of solutions to fill those gaps. One thing the open-source community does well is innovate, and it should be no surprise that its innovations include cybersecurity technologies and standards -- many of which are designed around zero trust.
A good example is Keycloak, an open-source identity and access management solution. A key capability is single sign-on across applications in the same security “realm.” SSO provides centralized access control, an important component of zero trust. Applied to a system that doesn’t otherwise dynamically manage access, a mature SSO solution that includes Keycloak capabilities can apply rules and processes to enable a single point of access enforcement. Common access authentication and consistent request interfaces provided by Keycloak help ease the user-experience transition and encourage adoption.
4. Realize that zero trust is a journey, not a destination
Remember: zero trust isn’t a technology or product; it’s a framework. Agencies can apply the architecture to their current technologies and use cases. But they’ll also have to apply it as they implement new technologies and applications. As agencies integrate existing systems and build out new ones, they’ll need to align them with zero trust. For example, that might mean rejecting applications that don’t allow for fine-grained access control.
Going forward, agencies will want to continually improve their zero trust defenses. For example, they can more closely analyze user behaviors, apply more quality checks when making decisions about access control and draw tighter perimeters for more robust layered defenses. Implementing machine learning algorithms that can spot risky activities along with human-based reviews or rules-based systems may be a good starting point.
The time to begin implementing zero trust has already passed. But getting started isn’t as daunting as it might seem. And it has never been more crucial to begin the journey toward stronger cybersecurity that helps to protect operations and support the agency mission.
Michael Epley is chief architect and security strategist of Red Hat’s North American Public Sector.