Four Key Considerations When Adopting a Zero Trust Architecture
Zero Trust, highlighted in the Biden Administration’s Cyber Executive Order (EO), is a concept that can provide significant advancements in the near-term for federal agencies — and one that will need to be part of any agency strategy.
The list of highly planned, large-scale attacks continues to grow. Agencies face the daunting challenge of attempting to protect mission-critical information and citizen data against determined, well-funded nation states and criminal organizations while dealing with legacy systems and infrastructure.
In response to this situation, the Biden Administration’s Cyber Executive Order (EO), officially released on May 12th, lays out a multi-pronged approach on how to fortify federal agency cybersecurity efforts and mitigate the large-scale, damaging attacks felt across the country. The Cyber EO provides direction, now it’s up to each agency to develop a cohesive strategy to implement that direction. That said, there does not seem to be a consensus on what Zero Trust means or how to achieve it.
Zero Trust: A multi-faceted approach
“Federal agencies need to move away from traditional network perimeter defense tactics to a perimeter-less data environment that uses identity and authentication tools as the primary means of access in a centralized, controlled Zero Trust framework,” said Corey Marshall, Director of Engineering, F5. “Implementing this framework is an absolute necessity and requires bridging of human, technology and business processes.”
Marshall adds, “A Zero Trust architecture needs to be deployed in a multi-faceted approach with solutions addressing confidentiality, integrity and availability — from the edge of the network to the application workloads.” This includes considering four key control points:
- The endpoints accessing an application.
- The network infrastructure.
- The application (whether the apps are in the cloud, on-premises, SaaS-based or fully managed).
- The identity service.
From a technology perspective, Marshall notes that agencies should consider the following:
- Endpoints: Trusted App Access – Agencies need a modern authentication solution for all apps, simplifying and centralizing access to apps, APIs and data regardless of where users and their apps are located. At federal agencies, the process for authenticating privileged users starts with displaying a U.S. government warning banner to the user, which requires acceptance before moving forward with authentication. This is followed by a request for strong credentials from the user using a number of different options, such as checking them against a Certificate Revocation List or Online Certificate Status Protocol server to ensure credentials have not been revoked.
- Network Infrastructure: Application Security – Agencies should consider an SSL visibility solution to eliminate threats by providing robust decryption/encryption of inbound and outbound SSL/TLS traffic with centralized encryption control. This solution should provide policy-based orchestration to eliminate blind spots and provide policy-based orchestration that enables cost-effective visibility across the full security chain for any network topology, device or application.
- Applications: Application Layer Security for Agency Protection – Application-layer security — whether the apps are in the cloud, on-premises, SaaS-based, or fully managed — should provide security at or near the application and protect the application stack in a Zero Trust architecture. This solution should also protect against Layer 7 DoS attacks with behavioral analytics that continuously monitor the health of the apps. Other capabilities should include credential protection to prevent unauthorized access to user accounts and safeguarding apps against API attacks.
- Identity Service – By integrating trusted app access solutions with Identity-as-a-Service (IDaaS) capabilities, agencies are able to bridge the identity gap between cloud-based, SaaS and mission-critical and custom applications to offer a unified, secure access experience for users.
The Biden Administration’s EO clearly states the need for “…bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” These bold changes will increasingly come in the form of enhanced isolation of systems and applications with significant investments driving innovations in the use of artificial intelligence and other leading capabilities as enablers of Zero Trust.
For more information on how Zero Trust aligns with the Cyber EO, please listen to the June 22 episode of the Public Sector Tech Talk series.