Partner POV | The Zero Trust Playbook for Federal Agencies
In this article
This article was written and contributed by Zscaler.
We now live in a mobile, cloud-hosted, telework world that has changed when, where, and how the government works. Malicious actors are also evolving their tactics and how they commit cybercrimes, which means federal agencies must also reconsider their approach to security.
In May 2021, the Biden Administration released the Executive Order (EO) on Federal Cybersecurity to underscore the government's growing recognition of cyber-vulnerabilities and IT's vital role in every federal program and mission. The EO outlines a number of actions, including a significant directive for OMB, in conjunction with the Department of Homeland Security and GSA to develop a federal cloud security strategy that moves the federal government to a truly zero trust model. The guidelines set forth in the EO are founded on the principles of zero trust: a framework built on context-aware, least privileged access, and based on a default-deny threat posture.
The transition from a fixed security architecture designed around a perimeter to one that can address the adaptive IT landscape unique to every organization—while controlling security policy inline to the service—is changing the principles of design and practice.
There is a lot of information available on zero trust, but it's rarely consistent and often unreliable. Talk to three vendors and you'll get three different answers as to just exactly what zero trust is and how to adopt it within your agency. What you need to know is this:
- It is NOT a thing you can buy, set up, and leave alone.
- Your implementation path will depend on your organization's tools and infrastructure.
- You do NOT have to replace all of your legacy systems to start protecting your data right now.
Zero trust IS an ecosystem. It is a continuous process with various practical ways to approach it to meet your agency's security goals. Zscaler's playbook helps customers wrap their arms around the concept and provide a practical approach to implementing zero trust.
With all the noise in the market and so many offerings on how to approach zero trust, how do you extract the most value with the least impact to the environment, while meeting all of your growing compliance requirements?
Zscaler's philosophy is that users should be connected directly to the applications and data they need through a cloud-native proxy— without having to connect to (and expose) a network. This direct connection is based on identity, policy, and dynamic risk scoring. It is not only much safer, but also far simpler to administer in comparison to traditional network segmentation.
The NIST guidance provides the baseline for federal zero trust recommendations, and provides the foundation for Zscaler's pillars.
- All data sources and computing services need to be considered resources.
- All communication needs to be secured regardless of network location.
- Access to individual enterprise resources is granted on a per-session basis.
- Access to resources is determined by dynamic policy—including the observable state of client identity, application, and the requesting asset—and may include other behavioral attributes.
- The enterprise ensures that all owned and associated devices are in the most secure state possible, and monitors assets to ensure that they remain in the most secure state possible.
- All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
Based on the NIST guidelines and others, we developed a set of pillars to use as a five-part playbook for making the decisions that will support your agency's goals:
Assess alternatives to legacy network models with a cloud-native zero trust architecture.
- Connect users and applications to resources, not the corporate network, to prevent lateral movement of threats, thus reducing security and business risk.
- Make applications invisible to the internet. Applications protected behind the Zscaler Zero Trust Exchange™ are not visible and cannot be discovered, thus eliminating the attack surface.
- Use a proxy architecture, not a passthrough firewall, for content inspection and security. The only way to ensure effective cyberthreat prevention and data protection is by requiring content inspection, including content in encrypted traffic, and policy enforcement before it reaches its intended destination.
We recommend using a software-defined wide-area network (SD-WAN) solution because it enables a direct-to-internet connectivity model. Conceptually, SD-WAN separates network control from hardware, effectively virtualizing WAN management.
When utilizing SD-WAN:
- Use local internet breakouts instead of backhauling traffic from branch offices to headquarters over multiprotocol label switching (MPLS) circuits.
- Make sure you have consistent security available everywhere.
Implement consistent, user- and application-centric security controls.
Moving to a cloud model does not mean sacrificing security or performance for user experience. You can have the best of both worlds if you:
- Move security as close as possible to the service leveraging a cloud-based security tool with local points of presence. Recognize and account for scalability costs as user traffic increases using a FedRAMP accredited cloud-based security tool.
- Invest in tools that allow fast, secure, policy-based access between users and the applications they connect to, regardless of the network. Security is essential, but it is the first thing users discard or bypass when they're having a bad or slow experience, which makes a poor user experience the greatest security risk of all.
- Monitor dynamically. Using identity alone is not sufficient. Policy should be based on context using dynamic attributes, such as a user's device, location, threat posture, behavioral anomalies, etc. Aim for a default-deny policy with comprehensive oversight of data in transit, and use microsegmented connections leveraging Transport Layer Security (TLS) to encrypt each session individually.
Invest in a federated identity and access management (IAM) platform.
A federated identity and access management system allows you to link a person's electronic identity and attributes across apps and platforms. When investing in a platform, it's key to:
- Start with the legacy directories you have today, but plan for migration to a modern IAM that supports single sign-on (SSO) and leverages protocols, such as security assertion markup language (SAML), to integrate with your cloud ecosystem.
- Simplify partner and 3rd party access. Giving partners access to a particular application should not mean giving them full access to your network. If an employee at your partner's organization leaves, you should not have to worry about whether that employee still has access to your application.
- Provide multiple identity providers (IDPs) with tight integration with the other zero trust principles. This must be foundational to an organization's IAM strategy.
Revisit your endpoint management system.
As users move to the cloud, your agency must re-evaluate endpoint management. Two practices to consider incorporating for endpoint management in a cloud environment are:
- Integrating endpoint management into security operations center (SOC) workflows. Infected machines and devices must be controlled and isolated.
- Establishing policy-based orchestration. Updates (such as for configuration or patches) should be controlled, and policy 3 4 should be able to be set at a granular level, e.g., "Push this setting out to all Macs running version X tonight." The orchestration of connectivity is tied back into the Zero Trust Exchange, and access is never permitted until the endpoint management has passed its checks.
Consolidate logs in a SIEM system.
Event management, like most traditional hub-and-spoke network functions, has to evolve to function properly (read: securely) in a cloud environment. The cybersecurity executive order mandates log sharing and detection enhancements, so ensuring that security logging is robust and centralized is a must. IT leaders moving to the cloud need to ensure SIEM can handle the impacts of the transition. When doing so:
- Ensure the "new SIEM" can handle the explosion of data from multiple cloud services and have the smarts to correlate events and glean actionable insights.
- Avoid sampling. Sampling logs can lead to missed security events and issues with compliance and regulatory requirements when you have audits.
- Integrate SIEM with SOC workflows. As with endpoint management, IT leaders must ensure SIEM and SOC workflows are integrated and automated as much as possible.
President Biden's Executive Order to address the "persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector" outlined eight areas to address, which build upon the above pillars:
- Removing Barriers to Information Sharing
- Modernizing Federal Government Cybersecurity
- Enhancing Software Security Supply Chain
- Establishing a Cyber Safety Review Board
- Standardizing the Cybersecurity Playbook for Responding to Cybersecurity
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Improving the Federal Government's Investigative and Remediation Capabilities
- Improving National Security Systems
It is critical for federal agencies to embrace the EO and important cloud security frameworks —including TIC 3.0, CMMC, and NIST SF-800-53, to name a few—as they will shepherd agencies into this new Cloud Secure era.
Zscaler enables security modernization per the executive order in a variety of ways:
- Modernize to a cybersecurity cloud platform, in accordance with Section 3(b) of the EO. Zscaler's FedRAMP High platform meets federal government authorization needs.
- Adopt a zero trust architecture, as outlined in Section 3(b)(ii). The Zscaler Zero Trust Exchange architecture can help reduce the attack surface by connecting users to applications and data, not networks, as outlined in NIST's Zero Trust Architecture.
- Provide visibility into user behavior regardless of location or device.
- Enable log sharing directly with CISA. This logging information can expedite threat hunting, detection, protection, and response from a cybersecurity event.
Zero trust is an ecosystem, not a point product. It is not a one-size-fits-all approach. As your needs change, your strategy and approach will evolve over time and should be consistently revisited and adapted.
By following this simple five step playbook you can set yourself up for success in creating a flexible approach, to meet your unique needs while complying with the Executive Order's guidance.
Zero trust is about intent. The goal is to protect users and data regardless of location by providing proper context before allowing access.